How to set up Ansible SSH keys #1033
Conversation
plugins/foreman_ansible/1.x/index.md
Outdated
|
|
||
| You may need do the same for the `foreman` user, so that it can run Ansible directly from the Foreman host without a Foreman Proxy. | ||
|
|
||
| If you have Foreman Remote Execution already, it is likely you have a ssh key in `/usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy`. You may copy it to `/usr/share/foreman-proxy/.ssh/id_rsa` so that Ansible is able to use it (ensure that the file is readable by the `foreman-proxy` user) |
There was a problem hiding this comment.
does ansible require it to be named id_rsa? can't it also use id_rsa_foreman_proxy? and it might be useful to mentione that for ansible, the key can't be protected with passphrase.
There was a problem hiding this comment.
I tried using ansible_private_key_file=/usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy on /usr/share/foreman-proxy/.ansible.cfg, to no avail, if you know how to make that work that'd be a good thing to put in https://github.com/theforeman/puppet-foreman_proxy/blob/master/templates/plugin/ansible.cfg.erb
There was a problem hiding this comment.
I thought ansible would use any ssh key available to the user, like ssh does but I could be wrong, the option accroding to man should be key_file or private_keyso I'd tryansible_private_key=...`
There was a problem hiding this comment.
and looking at forklift's ansible.cfg, I see private_key_file = $HOME/.vagrant.d/insecure_private_key so I guess it should be possible
There was a problem hiding this comment.
🤦♂️ I just saw we're sending a ansible_private_key_file = nil on the inventory when the setting is empty. Therefore it just points to ~.ssh/id_rsa by default. When I change ansible_private_key_file at the setting or at the host level, it's fine.
I should be documenting this here - for some reason the setting does not show up in Settings > Ansible, local blip or are you unable to see the setting too @ares ?
There was a problem hiding this comment.
I don't see it either even though I see the definition in ./app/models/setting/ansible.rb
There was a problem hiding this comment.
plugins/foreman_ansible/1.x/index.md
Outdated
| @@ -87,8 +89,22 @@ The project is not packaged, but you can find the sources here at [theforeman/fo | |||
|
|
|||
| In Foreman, you should add whatever Ansible hosts you want to submit facts from to the setting `trusted_puppetmaster_hosts`. Change it at Administer > Settings, Auth tab. | |||
|
|
|||
| Ansible will run using the SSH key of the smart-proxy or Foreman. These keys are automatically set by Foreman Remote Execution, so you may see them at /usr/share/foreman-proxy/.ssh . The foreman-proxy user needs write access to '/usr/share/foreman-proxy/.ansible' at least to create the '.ansible' local directory. We are working on making the instller automatically do this, but if it didn't do it. | |||
There was a problem hiding this comment.
Can we move that to /etc/foreman-proxy/ssh and only install a symlink in /usr/share/foreman-proxy?
There was a problem hiding this comment.
We can do that, but for 1.16 users this is not an option
There was a problem hiding this comment.
I don't like putting promises of a change in documentation. Either refer to a redmine issue or leave it out IMHO.
plugins/foreman_ansible/1.x/index.md
Outdated
| * FOREMAN_SSL_CERT: The public key when using SSL client certificates (default "/etc/foreman/client_cert.pem") | ||
| * FOREMAN_SSL_KEY: The private key when using SSL client certificates (default "/etc/foreman/client_key.pem") | ||
| * FOREMAN_SSL_VERIFY: wether to verify SSL certificates. Use *False* | ||
| to disable certificate checks. You can also set it to CA bundle (default is "True"). | ||
|
|
||
| If you are using the Katello plugin, the SSL certificate and key are set at `/etc/httpd/conf.d/05-katello-ssl.conf`. SSLCertificateFile, SSLCertificateKeyFile contain the values for FOREMAN_SSL_CERT and FOREMAN_SSL_KEY. By default these are at `/etc/pki/katello/certs/katello-default-ca.crt` and `/etc/pki/katello/private/katello-default-ca.key`. |
There was a problem hiding this comment.
Are you sure this is true? On my katello nightly box /etc/httpd/conf.d/05-katello-ssl.conf doesn't exist. AFAIK katello uses the same apache file, but different values.
plugins/foreman_ansible/1.x/index.md
Outdated
| @@ -87,8 +89,22 @@ The project is not packaged, but you can find the sources here at [theforeman/fo | |||
|
|
|||
| In Foreman, you should add whatever Ansible hosts you want to submit facts from to the setting `trusted_puppetmaster_hosts`. Change it at Administer > Settings, Auth tab. | |||
|
|
|||
| Ansible will run using the SSH key of the smart-proxy or Foreman. These keys are automatically set by Foreman Remote Execution, so you may see them at /usr/share/foreman-proxy/.ssh . The foreman-proxy user needs write access to '/usr/share/foreman-proxy/.ansible' at least to create the '.ansible' local directory. We are working on making the instller automatically do this, but if it didn't do it. | |||
There was a problem hiding this comment.
I don't like putting promises of a change in documentation. Either refer to a redmine issue or leave it out IMHO.
plugins/foreman_ansible/1.x/index.md
Outdated
| ``` | ||
| sudo mkdir /usr/share/foreman-proxy/.ansible | ||
| sudo chown foreman-proxy.foreman-proxy /usr/share/foreman-proxy/.ansible | ||
| sudo chown foreman-proxy.foreman-proxy /usr/share/foreman-proxy |
There was a problem hiding this comment.
Is this line actually needed? From a security perspective it undesirable and a yum upgrade might just reset it for you (since it's not a config file).
plugins/foreman_ansible/1.x/index.md
Outdated
| If the Foreman setting `create_new_host_when_facts_are_uploaded` (Puppet tab) is true, and $HOSTNAME doesn't exist in Foreman, it will autocreate that host in Foreman. If it already exists, it will update the facts. | ||
|
|
||
| If you want to use Ansible and submit facts/reports to Foreman, through the callback, you should add whatever hosts (again, except Smart Proxies) you want to submit facts **from** to the setting `trusted_puppetmaster_hosts`. Change it at Administer > Settings, Auth tab. e.g: If you're running Ansible from host 'A', which SSHs into host 'B', you need to add host 'A' |
plugins/foreman_ansible/1.x/index.md
Outdated
| sudo chown foreman-proxy.foreman-proxy /usr/share/foreman-proxy | ||
| ``` | ||
|
|
||
| You may need do the same for the `foreman` user, so that it can run Ansible directly from the Foreman host without a Foreman Proxy. |
There was a problem hiding this comment.
Personally I dislike this general design pattern that we can run it both with and without a proxy. It complicates the stack and IMHO we should avoid ever implementing it in the first place.
dLobatog
force-pushed
the
ansible-docs
branch
3 times, most recently
from
da441bb
to
8b811c8
Compare
| * FOREMAN_SSL_CERT: The public key when using SSL client certificates (default "/etc/foreman/client_cert.pem") | ||
| * FOREMAN_SSL_KEY: The private key when using SSL client certificates (default "/etc/foreman/client_key.pem") | ||
| * FOREMAN_SSL_VERIFY: wether to verify SSL certificates. Use *False* | ||
| to disable certificate checks. You can also set it to CA bundle (default is "True"). | ||
|
|
||
| If you're using Foreman without Katello, the SSL certificate and key are set at `/etc/httpd/conf.d/foreman.conf`. SSLCertificateFile, SSLCertificateKeyFile contain the values for FOREMAN_SSL_CERT and FOREMAN_SSL_KEY. | ||
|
|
||
| If you are using the Katello plugin, the SSL certificate and key are set at `/etc/httpd/conf.d/05-foreman-ssl.conf`. SSLCertificateFile, SSLCertificateKeyFile contain the values for FOREMAN_SSL_CERT and FOREMAN_SSL_KEY. By default these are at `/etc/pki/katello/certs/katello-apache.crt` and `/etc/pki/katello/private/katello-apache.key`. |
There was a problem hiding this comment.
I checked on 1.16 and the keys are at /etc/httpd/conf.d/foreman.conf and /etc/httpd/conf.d/05-foreman.conf respectively, let me know if you think that is wrong and should instead point to some other file
There was a problem hiding this comment.
It should always be 05-foreman-ssl.conf. Both with and without katello since puppet-foreman sets that up. In the katello scenario we just change the default answers from puppet locations to katello locations.
That said, I think in the katello scenario the correct certificate is the one we install for puppet server to talk back to foreman. It's guaranteed to be signed by the correct CA (remember there can be custom certificates signed by a diffferent CA). It's also the same function: report callbacks. See https://github.com/theforeman/puppet-certs#certificates-overview
Maybe @stbenjam has some good insight here, but I think it would make sense to implement this in the installer.
|
|
||
| ``` | ||
| sudo mkdir /usr/share/foreman-proxy/.ansible | ||
| sudo chown foreman-proxy.foreman-proxy /usr/share/foreman-proxy/.ansible |
There was a problem hiding this comment.
Removed /usr/share/foreman-proxy from here
|
|
||
| You may need do the same for the `foreman` user, so that it can run Ansible directly from the Foreman host without a Foreman Proxy. | ||
|
|
||
| The SSH key used for the execution can be set by the `ansible_private_key_file` setting (find it under Administer > Settings > Ansible tab). If you leave that field empty, `/usr/share/foreman/.ssh/id_rsa` or `/usr/share/foreman-proxy/.ssh/id_rsa` will be used by default. |
There was a problem hiding this comment.
Removed the promise to fix this in the installer
|
|
||
| The SSH key used for the execution can be set by the `ansible_private_key_file` setting (find it under Administer > Settings > Ansible tab). If you leave that field empty, `/usr/share/foreman/.ssh/id_rsa` or `/usr/share/foreman-proxy/.ssh/id_rsa` will be used by default. | ||
|
|
||
| If you have Foreman Remote Execution already, it is likely you have a ssh key in `/usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy`. You may copy it to `/usr/share/foreman-proxy/.ssh/id_rsa` so that Ansible is able to use it (ensure that the file is readable by the `foreman-proxy` user), or change the Setting `ansible_private_key_file` to point to it. |
There was a problem hiding this comment.
I added the last bit about using the setting
|
quick read -> good from my side, waiting on @ekohl to confirm |
plugins/foreman_ansible/2.x/index.md
Outdated
|
|
||
| The SSH key used for the execution can be set by the `ansible_private_key_file` setting (find it under Administer > Settings > Ansible tab). If you leave that field empty, `/usr/share/foreman/.ssh/id_rsa` or `/usr/share/foreman-proxy/.ssh/id_rsa` will be used by default. | ||
|
|
||
| If you have Foreman Remote Execution already, it is likely you have a ssh key in `/usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy`. You may copy it to `/usr/share/foreman-proxy/.ssh/id_rsa` so that Ansible is able to use it (ensure that the file is readable by the `foreman-proxy` user), or change the Setting `ansible_private_key_file` to point to it. |
There was a problem hiding this comment.
A link to the Remote Execution Manual here or above would make sense.
|
@dLobatog Right now I don't know where I could set these variables so I can just run |
|
With the packaging change in nightly and theforeman/puppet-foreman_proxy#424 I think we should have a decent out of the box experience. The known hosts is still a problem and even though we have |
|
Bump, are we still needing this? Seems like yes ;) |
|
I think it was replaced by #1093 |
No description provided.