ansible-pull will ask for a pw if ansible.cfg contains ask_pass=true

Hi all,

it seems to me that ansible-pull will not work if it picks up a config which has ask_pass=true. I would’ve assumed that a “-c local” on the command line would overrule everything but it seems that’s not the case.

Problem is that I have everything (hosts,config, etc) in git which gets pulled. The first time the repo gets pulled, the “-m git -a…” of ansible-pull works fine but then hangs at the subsequent ansible-playbook.

Is this intended behavior?

Cheers,
Andy

PS: Maybe the same problem with ask_sudo_pass?

It’s not really an expected scenario for it to deal with.

Perhaps you should consider instead of using a configuration file, aliasing ansible to specify --ask-pass?

–Michael

I did use --ask-pass in the beginning but then decided to switch. I simply noted the error since I’m still in the beginning of setting up ansible. I think it’s not that far fetched that people use a config file (source control) and ask pass. A failing ansible-pull is a big deal IMO if you rely on something getting pushed out and don’t check the logs.

I think it’s not expected since few people seem to be using pull instead of push.

Even if this is unlikely, I still think it’s a bug and very intuitive. I don’t think it ever makes sense to ask for a password when you’re using a local connection instead of SSH (correct me if I’m wrong).

I’ve filed
https://github.com/ansible/ansible/issues/3720

If it’s something low priority I may come up with a pull request at some point.

Cheers

One alternative, since you have ansible.cfg in your repository, is to define the environmental variable ANSIBLE_CONFIG that has ask_pass set to false when you invoke ansible-pull.

http://www.ansibleworks.com/docs/examples.html#configuration-defaults

sf

I’m ok with ignoring ask pass if -c local is explicit on the command line (which ansible-pull uses).

I was thinking it wouldn’t make any sense if set on a particular playbook to turn it off, as another playbook might need it.

But -c local, sure.

Yes, that’s actually how I solved it. (It’s running fine for now). I have a cron tab that looks like this:

{{ schedule }} root ANSIBLE_CONFIG={{ workdir }}/ansible/ansible-pull.cfg GIT_SSH={{ workdir }}/ssh-ansible.sh ansible-pull -o -d {{ workdir }}/ansible -U {{ repo_url }} -i {{ workdir }}/ansible/hosts {{ playbook }} >>{{ logfile }} 2>&1

which actually gets me to my second request for ansible-pull: IMO It should take --private-key option just like ansible does. Having root ssh and git pull to the master host is not very secure since it will compromise your entire network if only one host is compromised. The GIT_SSH will point to a wrapper script which sets “-i id_rsa” command line option for my ssh://master_host//etc/ansible/.git repository. We can’t trust root on any of the ansible-pull servers since they’re used by tons of users and are possibly easily compromised. So with this wrapper script root can only get access to the master with a very underprivileged account.

Q: Did I oversee anything in this case? Is there an easier option to not have git pull as root from the master? How do people actually use ansible-pull? Root everywhere?

I think a --private-key would have to be passed to the git module which then passes “-o IdentityFile=…” to git.

Thanks for your input,
Andy

Scratch that. That was a brain fart. You can’t specify “-o IdentityFile” when invoking git. It’ll have to go through:

a) .ssh/config
b) ssh-agent + ssh-add
c) GIT_SSH env. variable.

You can use GIT_SSH to specify an identity file.

An unprotected git repo is easier here of course since you are wanting to have it set up for non-interactive periodic remediation, etc, and don’t want to have your password somewhere to feed to ssh-add if your key was locked.

–Michael