Playbook Failys atc copying ssh keys

Archives Ansible Project
1

I have the below playbook. Created ssh keys for dave on the localhost (ansible master) and trying to create some users, groups and copy over ssh keys for some users all in the playbook.

All works well until the copying over ssh keys part. Ive confirmed the directory and public key exists for dave on the localhost…and the playbook created /home/dave/.ssh on the remote host

Not sure why this would fail?

Playbook output -

TASK [Copy ths ssh public key into the authorized key dir on the remote host] ********
failed: [10.10.0.5 → localhost] (item=frank) => {“failed”: true, “item”: “frank”, “ms g”: “Unable to find ‘/home/frank/.ssh/id_rsa.pub’ in expected paths.”}
failed: [10.10.0.5 → localhost] (item=joe) => {“failed”: true, “item”: “joe”, “msg”: “Unable to find ‘/home/joe/.ssh/id_rsa.pub’ in expected paths.”}
…ignoring
failed: [10.10.0.5 → localhost] (item=dave) => {“failed”: true, “item”: “dave”, “msg” : “Unable to find ‘/home/dave/.ssh/id_rsa.pub’ in expected paths.”}

Playbook -
[ansible@localhost playbooks]$ vi userscreate.yml

  • hosts: 10.10.0.5
    become: yes
    vars:
    grouplist:
  • devops
  • dbadbmins
  • serveradmins

users:

  • frank
  • joe
  • dave

tasks:

  • name: Create groups
    group:
    name: “{{ item }}”
    state: present
    with_items: “{{grouplist}}”
    ignore_errors: yes

  • name: Create users
    user:
    name: “{{ item }}”
    state: present
    with_items: “{{users}}”

  • name: create the users .ssh directories
    file:
    path: “/home/{{item}}/.ssh”
    state: directory
    owner: “{{item}}”
    group: “{{item}}”
    register: user_dirs
    with_items: “{{users}}”

  • name: Copy ths ssh public key into the authorized key dir on the remote host
    copy

src: “/home/{{item}}/.ssh/id_rsa.pub”
dest: “/home/{{item}}/.ssh/authorized_keys”
owner: “{{item}}”
group: “{{item}}”

with_items: “{{users}}”
ignore_errors: true

2

It's this part:

    - name: Copy ths ssh public key into the authorized key dir on the
remote host
        copy
src: "/home/{{item}}/.ssh/id_rsa.pub"

are the public keys at those paths on the Ansible host?

3

Yes. Definitely. I even remove the variables in that part, and just put in /home/dave/.ssh/id_rsa.pub

Generated the same errors.

4

Permissions perhaps?
Keep in mind that you are able to use elevated privileges on the
target host, so you have no problem writing files to user's home
directories.
But it's likely that your own local account (the one you run your
playbook as) usually does *not* have permission to access other local
accounts (such as /home/dave) for obvious reasons.

Dick

5

Good point. The fact the playbook has become: yes in it - does that not apply to the commands that run on the localhost and the target? This playbook is just running against the target 10.10.0.5

Maybe I’m misunderstanding the use of the elevated permissions…

6

How would I get around this issue on the localhost? I tried adding become_user: root and that didnt work either

7

Copy the public keys into the playbook directory.

8

It must be something with your setup.

Does this command work for the same user you are running ansible-playbook with?

sudo cat /home/{frank,joe,dave}/.ssh/id_rsa.pub

9

Actually no, the playbook is running as the ansible user so cannot read those directories…

Thanks

10

Thanks. So its clear why this didnt work. Can I ask you how I can tell the playbook to switch to root to execute the commands on the localhost with escalated privileges?

11

sudo ansible-playbook .....

will work but then you're running the whole play as local root, which
feels wrong.

I can't think why you'd want to do that, if you aren't making changes
to that host.

In this example you're shipping public keys, there's no downside to having them
locally (or better still version controlled, so you remove a
particular workstation
as a single point of failure).

12

What is do is adding all the public keys to the ansible configuration and copies it out from there.

But i guess you could have to plays in one playbook.

One that runs against localhost with become and use slurp module to get the content in memory/variable.

And in play number two copy the content of the variable in the first play out to the authorized_keys.

Or as Dick say, run ansible-playbook as root.