lining up users when bootstrapping a system

[Greg Swift]

I've been bashing at this since yesterday and have read around a lot and tried lots of things.  I figured it was time to try the list.

Basically I'm trying to create a playbook that will be used when bootstrapping a fresh host.  The root user is needed for the initial bootstrap.  After the on target steps, several other systems have to have an action run on them authorizing the bootstrapped host, one of which is puppet.  Here is are some examples of what I tried.

---

- hosts: boxens

  user: root

  tasks:

    - yum: name={{ item }} state=present

      with_items: packages

    - command: "puppet agent --noop --server={{ puppetmaster }}"
    - command: "puppet cert sign {{ ansible_fqdn }}"

      delegate_to: "{{ puppetmaster }}"

This fails because the auth to the puppetmaster would be using my standard network credentials, not the pre-bootstrap root user.

So I tried simply breaking this into multiple plays
---
- hosts: boxens
  user: root
  tasks:
    - yum: name={{ item }} state=present
      with_items: packages

    - command: "puppet agent --noop --server={{ puppetmaster }}"

- hosts: boxens
  tasks:
    - command: "puppet cert sign {{ ansible_fqdn }}"
      delegate_to: "{{ puppetmaster }}"

Which fails because puppet hasnt actually run puppet, because it's cert isnt signed, and so gather_facts doesn't work because it cant contact newboxen using my regular credentials.

So... loop through the group?

---
- hosts: boxens
  user: root
  tasks:
    - yum: name={{ item }} state=present
      with_items: packages

    - command: "puppet agent --noop --server={{ puppetmaster }}"

- hosts: puppetmaster
  gather_facts: no
  tasks:
    - command: "puppet cert sign {{ item }}"
      with_items: groups.boxens

Up until this step I've been running the task with a restricted host file that only contained the new boxes.  Since my puppetmaster would be in our normal inventory files expanding the input to this quickly makes groups.boxens pretty much every box... most of which are already signed.  I can do a 'creates' check against that, but it is still gonna try every one.

I've tried several other things, but all with more jank and less success than the above. It seems like I'm missing something fairly obvious, but no idea what.  Any suggestions?

thanks in advance

greg

[Brian Coca]

try:

- hosts: boxens
remote_user: root

tasks:
- yum: name={{ item }} state=present
with_items: packages
- command: "puppet agent --noop --server={{ puppetmaster }}"
- command: "puppet cert sign {{ ansible_fqdn }}"
delegate_to: "{{ puppetmaster }}"

remote_user: "{{lookup('env','USER')}}"

or just set your own user name directly.

--
Brian Coca

[Greg Swift]

problem with setting user directly is when the playbook is shared. Doing an env lookup has a problem in that local_user != remote_user.

-greg

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJ5XC8nRpmSTbzosi9ZdE50d19SeamhgDFbWAERnn6TWnB6tgA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.