Playbook Failys atc copying ssh keys
69 views
Skip to first unread message
Anfield
Jul 8, 2017, 2:18:06 PM7/8/17
to Ansible Project
I have the below playbook. Created ssh keys for dave on the localhost (ansible master) and trying to create some users, groups and copy over ssh keys for some users all in the playbook.
All works well until the copying over ssh keys part. Ive confirmed the directory and public key exists for dave on the localhost..and the playbook created /home/dave/.ssh on the remote host
Not sure why this would fail?
Playbook output -
TASK [Copy ths ssh public key into the authorized key dir on the remote host] ********
failed: [10.10.0.5 -> localhost] (item=frank) => {"failed": true, "item": "frank", "ms g": "Unable to find '/home/frank/.ssh/id_rsa.pub' in expected paths."}
failed: [10.10.0.5 -> localhost] (item=joe) => {"failed": true, "item": "joe", "msg": "Unable to find '/home/joe/.ssh/id_rsa.pub' in expected paths."}
...ignoring
failed: [10.10.0.5 -> localhost] (item=dave) => {"failed": true, "item": "dave", "msg" : "Unable to find '/home/dave/.ssh/id_rsa.pub' in expected paths."}
failed: [10.10.0.5 -> localhost] (item=frank) => {"failed": true, "item": "frank", "ms g": "Unable to find '/home/frank/.ssh/id_rsa.pub' in expected paths."}
failed: [10.10.0.5 -> localhost] (item=joe) => {"failed": true, "item": "joe", "msg": "Unable to find '/home/joe/.ssh/id_rsa.pub' in expected paths."}
...ignoring
failed: [10.10.0.5 -> localhost] (item=dave) => {"failed": true, "item": "dave", "msg" : "Unable to find '/home/dave/.ssh/id_rsa.pub' in expected paths."}
Playbook -
[ansible@localhost playbooks]$ vi userscreate.yml
- hosts: 10.10.0.5
become: yes
vars:
grouplist:
- devops
- dbadbmins
- serveradmins
users:
- frank
- joe
- dave
tasks:
- name: Create groups
group:
name: "{{ item }}"
state: present
with_items: "{{grouplist}}"
ignore_errors: yes
- name: Create users
user:
name: "{{ item }}"
state: present
with_items: "{{users}}"
- name: create the users .ssh directories
file:
path: "/home/{{item}}/.ssh"
state: directory
owner: "{{item}}"
group: "{{item}}"
register: user_dirs
with_items: "{{users}}"
- name: Copy ths ssh public key into the authorized key dir on the remote host
copy
src: "/home/{{item}}/.ssh/id_rsa.pub"
dest: "/home/{{item}}/.ssh/authorized_keys"
owner: "{{item}}"
group: "{{item}}"
with_items: "{{users}}"dest: "/home/{{item}}/.ssh/authorized_keys"
owner: "{{item}}"
group: "{{item}}"
ignore_errors: true
Dick Davies
Jul 8, 2017, 8:36:07 PM7/8/17
to ansible list
It's this part:
- name: Copy ths ssh public key into the authorized key dir on the
remote host
copy
src: "/home/{{item}}/.ssh/id_rsa.pub"
are the public keys at those paths on the Ansible host?
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/520fbfe4-625e-4f36-96f7-06d5d26a8007%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
- name: Copy ths ssh public key into the authorized key dir on the
remote host
copy
src: "/home/{{item}}/.ssh/id_rsa.pub"
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/520fbfe4-625e-4f36-96f7-06d5d26a8007%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Anfield
Jul 9, 2017, 10:39:04 PM7/9/17
to Ansible Project, di...@hellooperator.net
Yes. Definitely. I even remove the variables in that part, and just put in /home/dave/.ssh/id_rsa.pub
Generated the same errors.
Generated the same errors.
Dick Visser
Jul 10, 2017, 6:29:27 AM7/10/17
to ansible...@googlegroups.com, di...@hellooperator.net
Keep in mind that you are able to use elevated privileges on the
target host, so you have no problem writing files to user's home
directories.
But it's likely that your own local account (the one you run your
playbook as) usually does *not* have permission to access other local
accounts (such as /home/dave) for obvious reasons.
Dick
--
Dick Visser
Sr. System & Network Engineer
GÉANT
Want to join us? We're hiring: https://www.geant.org/jobs
Anfield
Jul 10, 2017, 10:14:29 AM7/10/17
to Ansible Project, di...@hellooperator.net
Good point. The fact the playbook has become: yes in it - does that not apply to the commands that run on the localhost and the target? This playbook is just running against the target 10.10.0.5
Maybe I'm misunderstanding the use of the elevated permissions..
Anfield
Jul 12, 2017, 2:11:21 PM7/12/17
to Ansible Project, di...@hellooperator.net
How would I get around this issue on the localhost? I tried adding become_user: root and that didnt work either
Dick Davies
Jul 12, 2017, 2:22:39 PM7/12/17
to Anfield, Ansible Project
Copy the public keys into the playbook directory.
Kai Stian Olstad
Jul 12, 2017, 2:26:36 PM7/12/17
to ansible...@googlegroups.com
On 12. juli 2017 20:11, Anfield wrote:
> How would I get around this issue on the localhost? I tried adding
> become_user: root and that didnt work either
It must be something with your setup.
> How would I get around this issue on the localhost? I tried adding
> become_user: root and that didnt work either
Does this command work for the same user you are running
ansible-playbook with?
sudo cat /home/{frank,joe,dave}/.ssh/id_rsa.pub
--
Kai Stian Olstad
Gareth Hasson
Jul 12, 2017, 2:53:37 PM7/12/17
to ansible...@googlegroups.com
Actually no, the playbook is running as the ansible user so cannot read those directories....
Thanks
--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/QdZidadGFU0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/cd915e7e-f4cf-dcf9-754d-a3d6d2ba2218%40olstad.com.
Anfield
Jul 14, 2017, 11:56:49 AM7/14/17
to Ansible Project, ansible-pr...@olstad.com
Thanks. So its clear why this didnt work. Can I ask you how I can tell the playbook to switch to root to execute the commands on the localhost with escalated privileges?
Dick Davies
Jul 14, 2017, 12:02:48 PM7/14/17
to ansible list
sudo ansible-playbook .....
will work but then you're running the whole play as local root, which
feels wrong.
I can't think why you'd want to do that, if you aren't making changes
to that host.
In this example you're shipping public keys, there's no downside to having them
locally (or better still version controlled, so you remove a
particular workstation
as a single point of failure).
will work but then you're running the whole play as local root, which
feels wrong.
I can't think why you'd want to do that, if you aren't making changes
to that host.
In this example you're shipping public keys, there's no downside to having them
locally (or better still version controlled, so you remove a
particular workstation
as a single point of failure).
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/d78ee2c5-e7ed-44cc-b7a6-b128b2cb583b%40googlegroups.com.
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
Kai Stian Olstad
Jul 14, 2017, 1:25:59 PM7/14/17
to ansible...@googlegroups.com
and copies it out from there.
But i guess you could have to plays in one playbook.
One that runs against localhost with become and use slurp module to get
the content in memory/variable.
And in play number two copy the content of the variable in the first
play out to the authorized_keys.
Or as Dick say, run ansible-playbook as root.
--
Kai Stian Olstad
Reply all
Reply to author
Forward
0 new messages