SyntaxHighlighter JS

2016-10-28

Ansible Online Notes

Online notes on technical issues I encountered using Ansible and the resolution. Posting online in case I need to refer to it again
1.)    The remote machine needs to have python simplejson or json module
Resolution: Run command to remote install module
ansible hostname -i inventory/hosts -m raw -a "sudo yum install -y python-simplejson"  -k  -u root -vvvv
2.) authorized_keys does not work on target ssh server
Symptom: When ssh from Ansible server to target server, it ask for a password even when .ssh/authorized_keys are set
Make sure the permissions on the ~/.ssh directory and its contents are proper. When I first set up my ssh key auth, I didn't have the ~/.ssh folder properly set up, and it yelled at me.
  • Your home directory ~, your ~/.ssh directory and the ~/.ssh/authorized_keys file on the remote machine must be writable only by you: rwx------ and rwxr-xr-x are fine, but rwxrwx--- is no good¹, even if you are the only user in your group (if you prefer numeric modes: 700 or 755, not 775).
    If ~/.ssh or authorized_keys is a symbolic link, the canonical path (with symbolic links expanded) is checked.
  • Your ~/.ssh/authorized_keys file (on the remote machine) must be readable (at least 400), but you'll need it to be also writable (600) if you will add any more keys to it.
  • Your private key file (on the local machine) must be readable and writable only by you: rw-------, i.e. 600.
  • Also, if SELinux is set to enforcing, you may need to run restorecon -R -v ~/.ssh (see e.g. Ubuntu bug 965663 and Debian bug report #658675; this is patched in CentOS 6).
 If that does not work, on the target server
sudo su -
service sshd stop   (Note: this will not kill your current session)
/use/sbin/sshd -d   (Note: debug mode)
service sshd start  (Note: do this when finished debugging or else no one can ssh into the VM. Try ssh from a new terminal before exiting the main root terminal)
In debug mode, you will see what sshd is doing when it is trying to read the authorized_keys file
In my case, sshd was reading the wrong file. To fix I had to
Edit /etc/ssh/sshd_config, and uncomment
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
Then restart sshd

service sshd stop
service sshd start
3.)    Issue: The remote user needs to be able to “sudo su –“ without password. Needed to  configure iptables firewall and other super-admin commands

Resolution: Have user add entry in /etc/sudoers file
Backlog Enhancement: Have precondition check for root access. Or find a way to make root access unnecessary
4.)    Ansible 2.2.0 had a bug
https://github.com/ansible/ansible/issues/16128
Resolution: Updated Ansible from Git with the latest version
git pull --rebase
git submodule update --init –recursive
5.) Ansible has issues transfering files to target server.
Ansible uses sftp to transfer files behind the scenes. Try
sftp user@target-server
to see if you can sftp without a password.
If you cannot, sftp sometimes has issues with echo in .bashrc . Comment out the echo in .bashrc and try again.
If that does not work, force Ansible to use scp instead of sftp.
In /etc/ansible/ansible.cfg, add the line
scp_if_ssh = True
or if you cannot edit the ansible.cfg file, then from shell type
export ANSIBLE_SCP_IF_SSH=y

No comments:

Post a Comment