Ansible configuration to run an Ansible Galaxy playbook
30 views
Skip to first unread message
Jeremy Tourville
Jan 29, 2021, 3:27:38 PM1/29/21
to Ansible Project
Hello,
I have been learning to use Ansible through Red Hat training for approximately the last 6 months or so. I have learned how to build some of my own basic play books and roles.
For the first time i have decided to download and run a role from Ansible Galaxy (https://galaxy.ansible.com/geerlingguy/kubernetes). I have several questions about making sure my environment, ansible.cfg, inventory, etc is set up properly.
My Environment-
Ansible Control Node:
Ansible 2.9 on CentOS 8.2
Target Machines:
CentOS 8.3
Kubernetes Master: kube1
Kubernetes Workers: kube2, kube3
ANSIBLE CONFIG
/home/ansuser/ansible/ansible.cfg
[defaults]
inventory=./inventory
remote_user=ansuser
ask_pass=false
[privilege_escalation]
becom=true
become_method=sudo
become_ask_pass=true
INVENTORY
/home/ansuser/ansible/inventory
[kube-master]
kube1.idm.nac-issa.org kubernetes_role=master
[kube-node]
kube2.idm.nac-issa.org kubernetes_role=node
kube3.idm.nac-issa.org kubernetes_role=node
I have created a user "ansuser". Ansuser has sudo permissions (but not passwordless sudo) and is a member of the wheel group. I created my ssh keys with that user and copied them to the target servers. ansible all -m ping works without any issues.
If I try to run the playbook with:
$ansible-playbook kubernetes.yml
I will quickly run into a failure, the error is: "This command has to be run under the root user". When prompted for the BECOME password, I provided the ansuser password.
I can add become_user=root to the config and provide the root user password. I still get the same error message.
I could change my remote_user=root and that will allow the playbook to completely finish everything but that forces me to run my kubernetes cluster as root to download images, run pods, etc. That doesn't seem right.
I could also adjust the specific play to use become, such as:
- name: Ensure the httpd service is running
service:
name: httpd
state: started
become: true
but that would be a lot of work because there are multiple sections requiring root privileges (further making me believe I am doing something wrong) and the developer who published these roles has a lot of experience.
What am I missing? It seems like something is not correct with my environment that causes the playbook to fail at multiple points where root privilege is needed. There must be some info I am not understanding or need explained in a different way so it makes sense. I welcome everyone's input. Thanks!
----KUBERNETES.YML PLAYBOOK----
---
- hosts: all
vars:
kubernetes_allow_pods_on_master: true
roles:
- geerlingguy.docker
- geerlingguy.kubernetes
I have been learning to use Ansible through Red Hat training for approximately the last 6 months or so. I have learned how to build some of my own basic play books and roles.
For the first time i have decided to download and run a role from Ansible Galaxy (https://galaxy.ansible.com/geerlingguy/kubernetes). I have several questions about making sure my environment, ansible.cfg, inventory, etc is set up properly.
My Environment-
Ansible Control Node:
Ansible 2.9 on CentOS 8.2
Target Machines:
CentOS 8.3
Kubernetes Master: kube1
Kubernetes Workers: kube2, kube3
ANSIBLE CONFIG
/home/ansuser/ansible/ansible.cfg
[defaults]
inventory=./inventory
remote_user=ansuser
ask_pass=false
[privilege_escalation]
becom=true
become_method=sudo
become_ask_pass=true
INVENTORY
/home/ansuser/ansible/inventory
[kube-master]
kube1.idm.nac-issa.org kubernetes_role=master
[kube-node]
kube2.idm.nac-issa.org kubernetes_role=node
kube3.idm.nac-issa.org kubernetes_role=node
I have created a user "ansuser". Ansuser has sudo permissions (but not passwordless sudo) and is a member of the wheel group. I created my ssh keys with that user and copied them to the target servers. ansible all -m ping works without any issues.
If I try to run the playbook with:
$ansible-playbook kubernetes.yml
I will quickly run into a failure, the error is: "This command has to be run under the root user". When prompted for the BECOME password, I provided the ansuser password.
I can add become_user=root to the config and provide the root user password. I still get the same error message.
I could change my remote_user=root and that will allow the playbook to completely finish everything but that forces me to run my kubernetes cluster as root to download images, run pods, etc. That doesn't seem right.
I could also adjust the specific play to use become, such as:
- name: Ensure the httpd service is running
service:
name: httpd
state: started
become: true
but that would be a lot of work because there are multiple sections requiring root privileges (further making me believe I am doing something wrong) and the developer who published these roles has a lot of experience.
What am I missing? It seems like something is not correct with my environment that causes the playbook to fail at multiple points where root privilege is needed. There must be some info I am not understanding or need explained in a different way so it makes sense. I welcome everyone's input. Thanks!
----KUBERNETES.YML PLAYBOOK----
---
- hosts: all
vars:
kubernetes_allow_pods_on_master: true
roles:
- geerlingguy.docker
- geerlingguy.kubernetes
Dick Visser
Jan 29, 2021, 3:52:13 PM1/29/21
to ansible...@googlegroups.com
On Fri, 29 Jan 2021 at 21:27, Jeremy Tourville <jeremyat...@gmail.com> wrote:
Hello,
I have been learning to use Ansible through Red Hat training for approximately the last 6 months or so. I have learned how to build some of my own basic play books and roles.
For the first time i have decided to download and run a role from Ansible Galaxy (https://galaxy.ansible.com/geerlingguy/kubernetes). I have several questions about making sure my environment, ansible.cfg, inventory, etc is set up properly.
My Environment-
Ansible Control Node:
Ansible 2.9 on CentOS 8.2
Target Machines:
CentOS 8.3
Kubernetes Master: kube1
Kubernetes Workers: kube2, kube3
ANSIBLE CONFIG
/home/ansuser/ansible/ansible.cfg
[defaults]
inventory=./inventory
remote_user=ansuser
ask_pass=false
[privilege_escalation]
becom=true
Typo?
Put 'become: yes' here and your entire playbook will use that.
vars:
kubernetes_allow_pods_on_master: true
roles:
- geerlingguy.docker
- geerlingguy.kubernetes
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/becc27a5-bd63-4514-ac2d-347390764c0dn%40googlegroups.com.
Sent from a mobile device - please excuse the brevity, spelling and punctuation.
Jeremy Tourville
Jan 29, 2021, 5:08:28 PM1/29/21
to Ansible Project
OMG, how did I miss that? no not a typo, that is what I had configured. Talk about missing something simple. Thanks for pointing out my mistake! <face palm> :-)
Reply all
Reply to author
Forward
0 new messages