-
Notifications
You must be signed in to change notification settings - Fork 255
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to set up Ansible SSH keys #1033
Conversation
plugins/foreman_ansible/1.x/index.md
Outdated
|
||
You may need do the same for the `foreman` user, so that it can run Ansible directly from the Foreman host without a Foreman Proxy. | ||
|
||
If you have Foreman Remote Execution already, it is likely you have a ssh key in `/usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy`. You may copy it to `/usr/share/foreman-proxy/.ssh/id_rsa` so that Ansible is able to use it (ensure that the file is readable by the `foreman-proxy` user) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does ansible require it to be named id_rsa
? can't it also use id_rsa_foreman_proxy
? and it might be useful to mentione that for ansible, the key can't be protected with passphrase.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried using ansible_private_key_file=/usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy
on /usr/share/foreman-proxy/.ansible.cfg
, to no avail, if you know how to make that work that'd be a good thing to put in https://github.com/theforeman/puppet-foreman_proxy/blob/master/templates/plugin/ansible.cfg.erb
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought ansible would use any ssh key available to the user, like ssh does but I could be wrong, the option accroding to man should be key_file
or private_keyso I'd try
ansible_private_key=...`
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and looking at forklift's ansible.cfg, I see private_key_file = $HOME/.vagrant.d/insecure_private_key
so I guess it should be possible
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🤦♂️ I just saw we're sending a ansible_private_key_file = nil
on the inventory when the setting is empty. Therefore it just points to ~.ssh/id_rsa
by default. When I change ansible_private_key_file
at the setting or at the host level, it's fine.
I should be documenting this here - for some reason the setting does not show up in Settings > Ansible, local blip or are you unable to see the setting too @ares ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see it either even though I see the definition in ./app/models/setting/ansible.rb
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
plugins/foreman_ansible/1.x/index.md
Outdated
@@ -87,8 +89,22 @@ The project is not packaged, but you can find the sources here at [theforeman/fo | |||
|
|||
In Foreman, you should add whatever Ansible hosts you want to submit facts from to the setting `trusted_puppetmaster_hosts`. Change it at Administer > Settings, Auth tab. | |||
|
|||
Ansible will run using the SSH key of the smart-proxy or Foreman. These keys are automatically set by Foreman Remote Execution, so you may see them at /usr/share/foreman-proxy/.ssh . The foreman-proxy user needs write access to '/usr/share/foreman-proxy/.ansible' at least to create the '.ansible' local directory. We are working on making the instller automatically do this, but if it didn't do it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we move that to /etc/foreman-proxy/ssh
and only install a symlink in /usr/share/foreman-proxy
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can do that, but for 1.16 users this is not an option
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't like putting promises of a change in documentation. Either refer to a redmine issue or leave it out IMHO.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
leaving for @ekohl to ack, if he does not add comment I'll merge after a while
plugins/foreman_ansible/1.x/index.md
Outdated
* FOREMAN_SSL_CERT: The public key when using SSL client certificates (default "/etc/foreman/client_cert.pem") | ||
* FOREMAN_SSL_KEY: The private key when using SSL client certificates (default "/etc/foreman/client_key.pem") | ||
* FOREMAN_SSL_VERIFY: wether to verify SSL certificates. Use *False* | ||
to disable certificate checks. You can also set it to CA bundle (default is "True"). | ||
|
||
If you are using the Katello plugin, the SSL certificate and key are set at `/etc/httpd/conf.d/05-katello-ssl.conf`. SSLCertificateFile, SSLCertificateKeyFile contain the values for FOREMAN_SSL_CERT and FOREMAN_SSL_KEY. By default these are at `/etc/pki/katello/certs/katello-default-ca.crt` and `/etc/pki/katello/private/katello-default-ca.key`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you sure this is true? On my katello nightly box /etc/httpd/conf.d/05-katello-ssl.conf
doesn't exist. AFAIK katello uses the same apache file, but different values.
plugins/foreman_ansible/1.x/index.md
Outdated
@@ -87,8 +89,22 @@ The project is not packaged, but you can find the sources here at [theforeman/fo | |||
|
|||
In Foreman, you should add whatever Ansible hosts you want to submit facts from to the setting `trusted_puppetmaster_hosts`. Change it at Administer > Settings, Auth tab. | |||
|
|||
Ansible will run using the SSH key of the smart-proxy or Foreman. These keys are automatically set by Foreman Remote Execution, so you may see them at /usr/share/foreman-proxy/.ssh . The foreman-proxy user needs write access to '/usr/share/foreman-proxy/.ansible' at least to create the '.ansible' local directory. We are working on making the instller automatically do this, but if it didn't do it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't like putting promises of a change in documentation. Either refer to a redmine issue or leave it out IMHO.
plugins/foreman_ansible/1.x/index.md
Outdated
``` | ||
sudo mkdir /usr/share/foreman-proxy/.ansible | ||
sudo chown foreman-proxy.foreman-proxy /usr/share/foreman-proxy/.ansible | ||
sudo chown foreman-proxy.foreman-proxy /usr/share/foreman-proxy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this line actually needed? From a security perspective it undesirable and a yum upgrade might just reset it for you (since it's not a config file).
plugins/foreman_ansible/1.x/index.md
Outdated
If the Foreman setting `create_new_host_when_facts_are_uploaded` (Puppet tab) is true, and $HOSTNAME doesn't exist in Foreman, it will autocreate that host in Foreman. If it already exists, it will update the facts. | ||
|
||
If you want to use Ansible and submit facts/reports to Foreman, through the callback, you should add whatever hosts (again, except Smart Proxies) you want to submit facts **from** to the setting `trusted_puppetmaster_hosts`. Change it at Administer > Settings, Auth tab. e.g: If you're running Ansible from host 'A', which SSHs into host 'B', you need to add host 'A' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/whatever/the/
plugins/foreman_ansible/1.x/index.md
Outdated
sudo chown foreman-proxy.foreman-proxy /usr/share/foreman-proxy | ||
``` | ||
|
||
You may need do the same for the `foreman` user, so that it can run Ansible directly from the Foreman host without a Foreman Proxy. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Personally I dislike this general design pattern that we can run it both with and without a proxy. It complicates the stack and IMHO we should avoid ever implementing it in the first place.
da441bb
to
8b811c8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ekohl Updated according to your comments, let me know what you think
* FOREMAN_SSL_CERT: The public key when using SSL client certificates (default "/etc/foreman/client_cert.pem") | ||
* FOREMAN_SSL_KEY: The private key when using SSL client certificates (default "/etc/foreman/client_key.pem") | ||
* FOREMAN_SSL_VERIFY: wether to verify SSL certificates. Use *False* | ||
to disable certificate checks. You can also set it to CA bundle (default is "True"). | ||
|
||
If you're using Foreman without Katello, the SSL certificate and key are set at `/etc/httpd/conf.d/foreman.conf`. SSLCertificateFile, SSLCertificateKeyFile contain the values for FOREMAN_SSL_CERT and FOREMAN_SSL_KEY. | ||
|
||
If you are using the Katello plugin, the SSL certificate and key are set at `/etc/httpd/conf.d/05-foreman-ssl.conf`. SSLCertificateFile, SSLCertificateKeyFile contain the values for FOREMAN_SSL_CERT and FOREMAN_SSL_KEY. By default these are at `/etc/pki/katello/certs/katello-apache.crt` and `/etc/pki/katello/private/katello-apache.key`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I checked on 1.16 and the keys are at /etc/httpd/conf.d/foreman.conf
and /etc/httpd/conf.d/05-foreman.conf
respectively, let me know if you think that is wrong and should instead point to some other file
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should always be 05-foreman-ssl.conf
. Both with and without katello since puppet-foreman sets that up. In the katello scenario we just change the default answers from puppet locations to katello locations.
That said, I think in the katello scenario the correct certificate is the one we install for puppet server to talk back to foreman. It's guaranteed to be signed by the correct CA (remember there can be custom certificates signed by a diffferent CA). It's also the same function: report callbacks. See https://github.com/theforeman/puppet-certs#certificates-overview
Maybe @stbenjam has some good insight here, but I think it would make sense to implement this in the installer.
|
||
``` | ||
sudo mkdir /usr/share/foreman-proxy/.ansible | ||
sudo chown foreman-proxy.foreman-proxy /usr/share/foreman-proxy/.ansible |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed /usr/share/foreman-proxy from here
|
||
You may need do the same for the `foreman` user, so that it can run Ansible directly from the Foreman host without a Foreman Proxy. | ||
|
||
The SSH key used for the execution can be set by the `ansible_private_key_file` setting (find it under Administer > Settings > Ansible tab). If you leave that field empty, `/usr/share/foreman/.ssh/id_rsa` or `/usr/share/foreman-proxy/.ssh/id_rsa` will be used by default. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed the promise to fix this in the installer
|
||
The SSH key used for the execution can be set by the `ansible_private_key_file` setting (find it under Administer > Settings > Ansible tab). If you leave that field empty, `/usr/share/foreman/.ssh/id_rsa` or `/usr/share/foreman-proxy/.ssh/id_rsa` will be used by default. | ||
|
||
If you have Foreman Remote Execution already, it is likely you have a ssh key in `/usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy`. You may copy it to `/usr/share/foreman-proxy/.ssh/id_rsa` so that Ansible is able to use it (ensure that the file is readable by the `foreman-proxy` user), or change the Setting `ansible_private_key_file` to point to it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added the last bit about using the setting
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
quick read -> good from my side, waiting on @ekohl to confirm |
plugins/foreman_ansible/2.x/index.md
Outdated
|
||
The SSH key used for the execution can be set by the `ansible_private_key_file` setting (find it under Administer > Settings > Ansible tab). If you leave that field empty, `/usr/share/foreman/.ssh/id_rsa` or `/usr/share/foreman-proxy/.ssh/id_rsa` will be used by default. | ||
|
||
If you have Foreman Remote Execution already, it is likely you have a ssh key in `/usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy`. You may copy it to `/usr/share/foreman-proxy/.ssh/id_rsa` so that Ansible is able to use it (ensure that the file is readable by the `foreman-proxy` user), or change the Setting `ansible_private_key_file` to point to it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A link to the Remote Execution Manual here or above would make sense.
@dLobatog Right now I don't know where I could set these variables so I can just run |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ekohl Which variables, FOREMAN_HOST
& friends (used by the Ansible callback)? You may use /etc/environment
if you just want to call ansible
from your CLI (explained in line 36 of the new docs / 32 in the old docs)
With the packaging change in nightly and theforeman/puppet-foreman_proxy#424 I think we should have a decent out of the box experience. The known hosts is still a problem and even though we have |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you revisit this? I think we should be promoting ansible.cfg
over environment variables. In nightly we should now set this up automatically though a warning that 2.5 is broken would be good.
Bump, are we still needing this? Seems like yes ;) |
I think it was replaced by #1093 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup, not needed anymore I would say.
No description provided.