Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mainly add the ability to create master ssh key if it doesn't exist #5

Open
wants to merge 17 commits into
base: master
Choose a base branch
from
Open

Mainly add the ability to create master ssh key if it doesn't exist #5

wants to merge 17 commits into from

Conversation

mickaelperrin
Copy link

When provisioning inventories with master and slave, the slave roles fails if the master role hasn't been run on the master server because the ssh-key doesn't exist yet.

This PR introduces the (configurable) ability to create the missing ssh-key on the master if they don't exist.

It fixes also some deprecation warning and use YAML syntax everywhere.

sebalix
sebalix suggested changes May 21, 2018
View reviewed changes
README.md Outdated
rsnapshot_master_ssh_key: id_rsa

# User used by the rsnapshot master to connect on the configured host
rsnapshot_slave_user: backupuser
rsnapshot_slave_user: backupuserrsnapshot_slave_user_shell: /bin/bash
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A carriage return is missing here

sebalix
sebalix suggested changes May 22, 2018
View reviewed changes
README.md Outdated
rsnapshot_master_ssh_key: id_rsa

# User used by the rsnapshot master to connect on the configured host
rsnapshot_slave_user: backupuser
rsnapshot_slave_user_password: Unencrypted_password #Use ansible vault to store it
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer rsnapshot_slave_user_password: False as a default value

tasks/config.yml Outdated
user:
name: "{{ rsnapshot_slave_user }}"
password: "{{ rsnapshot_slave_user_password | password_hash('sha512') }}"
when: rsnapshot_slave_user_password is defined
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

when: rsnapshot_slave_user_password should be enough, as it is defined by default (even to False).
But this task is weird, SSH login on accounts with no password work very well with a SSH key, are you sure we need this? It depends on the SSH server configuration maybe?

@mickaelperrin
Copy link
Author

While performing some tests, the rsnapshot_slave_user has been blocked.

I thought it was because it has no password and I use some os/sshd hardening roles.

But to be honest, I didn't find the task which may have done the block.

@mickaelperrin
Copy link
Author

mickaelperrin commented May 23, 2018
edited
Loading

I just noticed that the rsnapshot_slave_user_password throws a really strange error:

The conditional check 'rsnapshot_slave_user_password' failed. The error was: error while evaluating conditional (rsnapshot_slave_user_password): 'password' is undefined

I don't understand why. I renamed the variable to rsnapshot_slave_userpassword and everything works...

I am missing something about Ansible I guess...

sebalix
sebalix reviewed May 23, 2018
View reviewed changes
README.md Outdated
@@ -28,7 +28,7 @@ rsnapshot_master_ssh_key: id_rsa

# User used by the rsnapshot master to connect on the configured host
rsnapshot_slave_user: backupuser
rsnapshot_slave_user_password: False #If set, use an unencrypted value and store it in vault
rsnapshot_slave_userpassword: False #If set, use an unencrypted value and store it in vault
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why removing the _? rsnapshot_slave_user_password was perfectly fine :) Your error was that there was no rsnapshot_slave_user_password variable defined in defaults/main.yml.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oups sorry, didn't see your comment...

@sebalix
Copy link
Contributor

sebalix commented May 23, 2018

Strange, I don't know why... You can rename it with _passwd suffix, it works (already used that here: https://github.com/OCA/ansible-odoo/blob/master/defaults/main.yml#L7)

@mickaelperrin
[BUGFIX] Fail task Set password for backup user if provided
9626ffb 
The conditional check 'rsnapshot_slave_user_password' failed. The error was: error while evaluating conditional (rsnapshot_slave_user_password): 'password' is undefined
@mickaelperrin
Copy link
Author

FYI, I deployed in production with no password and backup didn't work.

I found this error message in auth.log:

May 25 11:46:01 extranet sshd[8151]: User rbackup not allowed because account is locked

So I tried to define a password with rsnapshot_slave_user_passwd and get stuck with some strange errors. I don't understand why the pattern var: False in defaults then define the vars in inventory vars works for all other variables except for this one ??

If you have some idea, to help...

[12:17:31] sebalix.rsnapshot-slave : debug |  SUCCESS | 533ms
{
  - rsnapshot_slave_user_passwd: motdepasse
}
[12:17:31] sebalix.rsnapshot-slave : debug |  SUCCESS | 531ms
{
  - rsnapshot_slave_user_passwd|bool: False
}
[12:17:31] sebalix.rsnapshot-slave : Set password for backup user if provided | FAILED | 251ms
{
  - msg: The conditional check 'rsnapshot_slave_user_passwd' failed. The error was: error while evaluating conditional (rsnapshot_slave_user_passwd): 'motdepasse' is undefined

         The error appears to have been in '/Ansible/sebalix.rsnapshot-slave/tasks/config.yml': line 17, column 3, but may
         be elsewhere in the file depending on the exact syntax problem.

         The offending line appears to be:


         - name: Set password for backup user if provided
           ^ here
}

and even more strange

[12:27:48] sebalix.rsnapshot-slave : debug |  SUCCESS | 533ms
{
  - rsnapshot_slave_user_passwd: MonMotDePasseSecurisé
}
[12:27:48] sebalix.rsnapshot-slave : debug | SUCCESS | 538ms
{
  - rsnapshot_slave_user_passwd|bool: False
}
[12:27:49] sebalix.rsnapshot-slave : Set password for backup user if provided | FAILED | 228ms
{
  - msg: The conditional check 'rsnapshot_slave_user_passwd' failed. The error was: template error while templating string: unexpected char u'\xe9' at 26. String: {% if MonMotDePasseSecurisé %} True {% else %} False {% endif %}

         The error appears to have been in '/Ansible/sebalix.rsnapshot-slave/tasks/config.yml': line 17, column 3, but may
         be elsewhere in the file depending on the exact syntax problem.

         The offending line appears to be:


         - name: Set password for backup user if provided
           ^ here
}

@mickaelperrin
Copy link
Author

Currently the only fix I see, is to set rsnapshot_slave_user_passwd: "" as default value and use when: rsnapshot_slave_user_passwd != "".

But I don't understand why it works for rsnapshot_master_host for example....

@sebalix
Copy link
Contributor

sebalix commented May 29, 2018

Well, maybe False is not the best value... I think Ansible modules behave differently following the value (False, false, no, or empty), for instance I just saw that cron_file option from the cron Ansible module interprets False as string "False" (generating a /etc/cron.d/False crontab...).

Try this:

rsnapshot_slave_user_passwd:

without any value by default to see what happens.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sebalix sebalix sebalix requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mickaelperrin @sebalix