Presently I do all system administration for my organization. Another colleague will soon be handling some administration duties. I have configured Ansible to add his user using the user module. In testing this, I also configured Ansible to configure my user “skyler” but this task always fails with the error “usermod: user skyler is currently logged in.” This leads me to believe that Ansible cannot manage the user that is currently running the Ansible play (in this case, set via ansible_ssh_user).
Which user should Ansible use? And if this user is different than my user or my colleague’s user, we will need to share those credentials, correct?
I was hoping we could run Ansible using our own individual accounts, and that Ansible would also manage these accounts, but this doesn’t seem possible.
Do I understand correct or have I missed something?
Hi Skyler,
This is a UNIX/Linux limitation actually. In general though, it is very common to have a single, shared account for system maintenance. There are many ways you can set this up without requiring a shared password (sudo, ssh keys with a passphrase, etc.), it really is a matter of personal preference.
You probably don't want to manage the user Ansible is running as via Ansible, no. You probably want Ansible to either ssh in as root, or as a default user account with sudo access (on standard Ubuntu images on EC2, for example, this user is 'ubuntu') that's already created before ansible runs.
pacem in terris / мир / शान्ति / سَلاَم / 平和
Kevin R. Bullock
Keep in mind is that there are two things here: The user you run Ansible
as, and the remote user that Ansible acts as on the target systems. One
thing you can do is set remote_user to 'ansible', and then put your
admins' public keys in the 'ansible' user's authorized_keys file on the
target systems; then each can run Ansible as themselves, but Ansible acts
as 'ansible' on the target systems.
I'm not sure if that's better, from a best practices point of view, than
also having a shared *private* key for the 'ansible' user, having the
'ansible' user's authorized_keys file on the target systems contain only
the pubkey corresponding to that shared key, and have the admins run
Ansible as the 'ansible' user (e.g. 'sudo -u ansible ansible-playbook etc
etc'). I imagine it depends on your environment, and that there are
arguments either way.
-Josh (jbs@care.com)
This email is intended for the person(s) to whom it is addressed and may contain information that is PRIVILEGED or CONFIDENTIAL. Any unauthorized use, distribution, copying, or disclosure by any person other than the addressee(s) is strictly prohibited. If you have received this email in error, please notify the sender immediately by return email and delete the message and any attachments from your system.
Thanks for your reply.
Keep in mind is that there are two things here: The user you run Ansible
as, and the remote user that Ansible acts as on the target systems. One
thing you can do is set remote_user to ‘ansible’, and then put your
admins’ public keys in the ‘ansible’ user’s authorized_keys file on the
target systems; then each can run Ansible as themselves, but Ansible acts
as ‘ansible’ on the target systems.
I’ve chosen this approach. It seems like I also need to set ansible_ssh_user because remote_user doesn’t seem to influence which SSH user is used when connecting. That is, unless I specify ansible_ssh_user in my inventory, though I have remote_user=ansible in my playbook, ansible-playbook wants to connect using the username of my local user.
Do I need to use ansible_ssh_user in addition to remote_user?
Apologies, I figured it out. I needed to provide an ssh password by using the -k flag.