using different remote_user until success

[william...@gmail.com]

I’ve been struggling with this and googling all morning and getting nowhere fast.

 

I am using aws dynamic inventory python script to get me an inventory of instances that I am going to make some changes to.

 

I need to do this on possibly a large number of accounts.  The first account I am working on has Linux instances of various flavours.

 

On some of the instances centos is the user to connect as, on other ec2-user… and I think there are a few imported images that use root, luckily they all use the same keypair.

 

So I create a list of these users as a var.  Now how can I try to connect as each user until success? And then continue on to tasks?

 

Sorry, my ansible is a bit rusty and everything I google seems to imply that you will know the user for each host and have that user in your inventory file.

 

Thanks for any advice!

 

Bill

 

 

 

[Brian Coca]

loop a ping task over the users and use 'ignore_unreachable' and
failed_when: false to keep running that task, register the result and
set ansible_user using the results.


--
----------
Brian Coca

[william...@gmail.com]

Hi Brian, this seemed like a good way to do it, but I haven't been able to make it work - I haven't done much logic in my plays... mostly just point and shoot tasks.

---
- hosts: test
gather_facts: false
tasks:
- name: try users
remote_user: "{{ item }}"
ping:
ignore_unreachable: true
failed_when: false
with_items:
- centos
- root
- ec2-user

When I run this, it loops 3 times, and at the start of each I get...

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CACVha7ewm22AQ7h9vG7qkfRL37-Zy8w7izdEGqQCD6trNrfKSw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[william...@gmail.com]

Sorry, pressed send inadvertently there...

-----Original Message-----
From: william...@gmail.com <william...@gmail.com>
Sent: Monday, July 8, 2019 10:09 AM
To: ansible...@googlegroups.com
Subject: RE: [ansible-project] using different remote_user until success

Hi Brian, this seemed like a good way to do it, but I haven't been able to make it work - I haven't done much logic in my plays... mostly just point and shoot tasks.

---
- hosts: test
gather_facts: false
tasks:
- name: try users
remote_user: "{{ item }}"
ping:
ignore_unreachable: true
failed_when: false
with_items:
- centos
- root
- ec2-user

When I run this, it loops 3 times, and at the start of each I get...

<xxx.xxx.xxx.xxx> ESTABLISH SSH CONNECTION FOR USER: centos

failed: [xxx.xxx.xxx.xxx] (item=centos) => {
"ansible_loop_var": "item",
"item": "centos",

< xxx.xxx.xxx.xxx > ESTABLISH SSH CONNECTION FOR USER: centos

failed: [xxx.xxx.xxx.xxx] (item=root) => {
"ansible_loop_var": "item",
"item": "root",
"msg": "Failed to connect to the host via ssh: Permission denied (publickey,password).",
"unreachable": true
< xxx.xxx.xxx.xxx > ESTABLISH SSH CONNECTION FOR USER: centos
failed: [xxx.xxx.xxx.xxx] (item=ec2-user) => {
"ansible_loop_var": "item",
"item": "ec2-user",
"msg": "Failed to connect to the host via ssh: Permission denied (publickey,password).",
"unreachable": true
}

So the item is changing, but it seems that you can only set remote_user once?

I assume remote_user is what I should be using in the playbook? Ansible_user in the config file and remote_user in the playbook right?

This seems like great solution if I could get it to work.

Any advice would be hugely appreciated at this point.

Regards
Bill

[Dan Linder]

Are you opposed to using a second playbook and using the "include:" module like this?

---
- hosts: all

  gather_facts: false
  tasks:
  - name: try users

    #remote_user: "{{ item }}"
    include: include-3.yml
    vars:
      my_remote_user: "{{ item }}"

    with_items:
      - centos
      - root
      - ec2-user

Then the "include-3.yml" file looks like this:

---
- name: try users
  remote_user: "{{ my_remote_user }}"

  ping:
  ignore_unreachable: true
  failed_when: false

This then tries to connect with each user:

<localhost> ESTABLISH SSH CONNECTION FOR USER: centos
<localhost> ESTABLISH SSH CONNECTION FOR USER: root
<localhost> ESTABLISH SSH CONNECTION FOR USER: ec2-user

To unsubscribe from this group and stop receiving emails from it, send an email to ansible...@googlegroups.com.

[william...@gmail.com]

Thanks,

 

I think that is sort of what my colleague was alluding to – slightly more elegant though.

 

So, it will run include-3.yml 3 times?  And one will succeed? I obviously have a number of tasks to run after this…

 

I was kind of hoping to keep this logic all in one with the idea that I might create a single report after about what user worked and what was done … ( not to say that couldn’t be done this way as well, but just my method of thinking)

 

Also it seem strange that assigning variable to remote_user seems to only work once – is that correct?

 

I actually dug down into the source and the ssh.py  connection plugin and it didn’t look as though it would be a big deal to pass a list to it but I don’t particularly want to wind up with my ‘own’ version of ansible plugins so unless someone thought it was worthwhile having then I probably won’t.

 

Saying that, as AWS instances do have different user accounts according to flavor, and you can’t get the flavor without connecting, it seems like it  might be useful?

 

Regards

Bill

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/3a43d047-2da0-479f-b7e5-b3e1f286476a%40googlegroups.com.

[Dan Linder]

On Monday, July 8, 2019 at 2:41:54 PM UTC-5, william...@gmail.com wrote:

So, it will run include-3.yml 3 times?  And one will succeed?

Yes - in my testing, I added a good user account to use, and that one ran the ping successfully.

 

I obviously have a number of tasks to run after this…

In my scenariou we have a number of system that might use one of a number of different accounts - the list of what account is used where has been lost to time.

With a script like this we could have it run through a large list of accounts and note which one(s) succeed for each host.  After that is done, we then run a fix-it script to either update the systems to use a consistent account, or we update our system database so the proper account is known.  Regardless of which direction is gone, it is then easy to generate an inventory with the appropriate login account so Ansible can access them properly without having to try all the keys.

Also it seem strange that assigning variable to remote_user seems to only work once – is that correct?

Not sure - I didn't dig into the code to check.

 

I actually dug down into the source and the ssh.py  connection plugin and it didn’t look as though it would be a big deal to pass a list to it but I don’t particularly want to wind up with my ‘own’ version of ansible plugins so unless someone thought it was worthwhile having then I probably won’t.

I really shy away from mucking with the deep internals - especially when that code will probably get updated over time and future updates will overwrite my changes.

 

Saying that, as AWS instances do have different user accounts according to flavor, and you can’t get the flavor without connecting, it seems like it  might be useful?

I think so, yes.

Dan

[william...@gmail.com]

Thanks Dan,  I have opened a bug report on this as I don’t see why a variable should not be able to be assigned to remote_user and from various people looking at the simple playbook I don’t ‘think’ I am doing anything wrong syntactically.

 

I am going to try as you suggest in the meantime – thanks for the suggestion and the answers to my questions, much appreciated.

 

Regards

Bill

 

 

From: ansible...@googlegroups.com <ansible...@googlegroups.com> On Behalf Of Dan Linder
Sent: Tuesday, July 9, 2019 3:59 AM
To: Ansible Project <ansible...@googlegroups.com>
Subject: Re: [ansible-project] using different remote_user until success

 

--

You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/48793d24-72dc-4f3e-bc64-93b490f34f88%40googlegroups.com.

[william...@gmail.com]

So I tried doing this as described with includes – I spun up a new Amazon Linux instance and things seemed to be working however I have now run into another problem…

 

When it tries to ping using centos user, it fails with unreachable – good

When it tries to ping using user ec2-user it works as expected and succeeds

When it tries to ping using user root, I get:

 

TASK [try users] ****************************************************************************************************************************************************************************************

[WARNING]: Unhandled error in Python interpreter discovery for host 10.5.162.167: unexpected output from Python interpreter discovery

 

[WARNING]: sftp transfer mechanism failed on [10.5.162.167]. Use ANSIBLE_DEBUG=1 to see detailed information

 

[WARNING]: scp transfer mechanism failed on [10.5.162.167]. Use ANSIBLE_DEBUG=1 to see detailed information

 

[WARNING]: Platform unknown on host 10.5.162.167 is using the discovered Python interpreter at /usr/bin/python, but future installation of another Python interpreter could change this. See

https://docs.ansible.com/ansible/2.8/reference_appendices/interpreter_discovery.html for more information.

 

ok: [10.5.162.167]

 

which is bad… I try to connect using normal ssh ro...@10.5.162.167 and it fails… so I don’t see how the above is resulting in an OK ☹

 

 

I have tried with -vvvv  and I can’t see exactly what is causing it…. I haven’t tried using debug yet, but thought I would post to see if the basic errors above mean anything to anyone?

 

I will setting ANSIBLE_DEBUG=1 later today when I have more time again – I have googled selections of the above and haven’t found anything meaningful as of yet.

 

Thanks, as always for any advice.

 

Regards

Bill

 

 

 

From: ansible...@googlegroups.com <ansible...@googlegroups.com> On Behalf Of Dan Linder
Sent: Tuesday, July 9, 2019 3:59 AM
To: Ansible Project <ansible...@googlegroups.com>
Subject: Re: [ansible-project] using different remote_user until success

 

--

You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/48793d24-72dc-4f3e-bc64-93b490f34f88%40googlegroups.com.