-
Notifications
You must be signed in to change notification settings - Fork 255
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to set up Ansible SSH keys #1033
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -46,12 +46,16 @@ For Ansible versions older than 2.2: | |
|
||
You can configure it via the following environment variables: | ||
|
||
* FOREMAN_URL: the URL of your Foreman installation (default "http://localhost:3000") | ||
* FOREMAN_URL: the URL of your Foreman installation (default "http://localhost:3000") - change it to your Foreman URL, e.g: "https://myforeman.mylocal.lan", it should not be port 3000. | ||
* FOREMAN_SSL_CERT: The public key when using SSL client certificates (default "/etc/foreman/client_cert.pem") | ||
* FOREMAN_SSL_KEY: The private key when using SSL client certificates (default "/etc/foreman/client_key.pem") | ||
* FOREMAN_SSL_VERIFY: wether to verify SSL certificates. Use *False* | ||
to disable certificate checks. You can also set it to CA bundle (default is "True"). | ||
|
||
If you're using Foreman without Katello, the SSL certificate and key are set at `/etc/httpd/conf.d/foreman.conf`. SSLCertificateFile, SSLCertificateKeyFile contain the values for FOREMAN_SSL_CERT and FOREMAN_SSL_KEY. | ||
|
||
If you are using the Katello plugin, the SSL certificate and key are set at `/etc/httpd/conf.d/05-foreman-ssl.conf`. SSLCertificateFile, SSLCertificateKeyFile contain the values for FOREMAN_SSL_CERT and FOREMAN_SSL_KEY. By default these are at `/etc/pki/katello/certs/katello-apache.crt` and `/etc/pki/katello/private/katello-apache.key`. | ||
|
||
To obtain a valid certificate for your host follow the procedure as described [here](http://theforeman.org/manuals/latest/index.html#4.3.10SSL) | ||
See the [python-requests documentation](http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification) on the details of certificate setup. | ||
|
||
|
@@ -87,8 +91,23 @@ The project is not packaged, but you can find the sources here at [theforeman/fo | |
|
||
In Foreman, you should add whatever Ansible hosts you want to submit facts from to the setting `trusted_puppetmaster_hosts`. Change it at Administer > Settings, Auth tab. | ||
|
||
Ansible will run using the SSH key of the smart-proxy or Foreman. These keys are automatically set by Foreman Remote Execution, so you may see them at /usr/share/foreman-proxy/.ssh . The foreman-proxy user needs write access to '/usr/share/foreman-proxy/.ansible' at least to create the '.ansible' local directory. | ||
|
||
``` | ||
sudo mkdir /usr/share/foreman-proxy/.ansible | ||
sudo chown foreman-proxy.foreman-proxy /usr/share/foreman-proxy/.ansible | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Removed /usr/share/foreman-proxy from here |
||
``` | ||
|
||
You may need do the same for the `foreman` user, so that it can run Ansible directly from the Foreman host without a Foreman Proxy. | ||
|
||
The SSH key used for the execution can be set by the `ansible_private_key_file` setting (find it under Administer > Settings > Ansible tab). If you leave that field empty, `/usr/share/foreman/.ssh/id_rsa` or `/usr/share/foreman-proxy/.ssh/id_rsa` will be used by default. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Removed the promise to fix this in the installer |
||
|
||
If you have Foreman Remote Execution already, it is likely you have a ssh key in `/usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy`. You may copy it to `/usr/share/foreman-proxy/.ssh/id_rsa` so that Ansible is able to use it (ensure that the file is readable by the `foreman-proxy` user), or change the Setting `ansible_private_key_file` to point to it. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I added the last bit about using the setting |
||
|
||
If the Foreman setting `create_new_host_when_facts_are_uploaded` (Puppet tab) is true, and $HOSTNAME doesn't exist in Foreman, it will autocreate that host in Foreman. If it already exists, it will update the facts. | ||
|
||
If you want to use Ansible and submit facts/reports to Foreman, through the callback, you should add the hosts (again, except Smart Proxies) you want to submit facts **from** to the setting `trusted_puppetmaster_hosts`. Change it at Administer > Settings, Auth tab. e.g: If you're running Ansible from host 'A', which SSHs into host 'B', you need to add host 'A' | ||
|
||
Similarly, the Foreman setting `ignore_puppet_facts_for_provisioning` (Provisioning tab) is set to false, facts related to interfaces will update the interfaces of $HOSTNAME in Foreman. | ||
|
||
There are several Ansible options you can configure under Administer -> Settings in case you need to configure the Ansible port, user, etcetera. You can override these options on any host via Host parameters, Host group parameters or Global parameters by setting the attributes as explained on the settings description (e.g: a parameter 'ansible_user' on a host will make Foreman use that parameter as the Ansible user instead of the default) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I checked on 1.16 and the keys are at
/etc/httpd/conf.d/foreman.conf
and/etc/httpd/conf.d/05-foreman.conf
respectively, let me know if you think that is wrong and should instead point to some other fileThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should always be
05-foreman-ssl.conf
. Both with and without katello since puppet-foreman sets that up. In the katello scenario we just change the default answers from puppet locations to katello locations.That said, I think in the katello scenario the correct certificate is the one we install for puppet server to talk back to foreman. It's guaranteed to be signed by the correct CA (remember there can be custom certificates signed by a diffferent CA). It's also the same function: report callbacks. See https://github.com/theforeman/puppet-certs#certificates-overview
Maybe @stbenjam has some good insight here, but I think it would make sense to implement this in the installer.