ssh as non-root #62
Comments
|
Could you please post how you setup sudo in the playbook? Though it looks like it either can't connect to tallboy-jailhost at all or it doesn't have permission to create the file in $HOME/.ansible. Could you try with |
|
Here is my ansible.cfg: [defaults] remote_user=my-non-root-user roles_path = /usr/local/etc/asible/roles [ssh_connection] ssh_args=-o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes |
|
For those following, several ports were upgraded offline: Mar 3 21:35:37 ansible pkg: py27-ploy upgraded: 1.0.3 -> 1.1.0 Mar 3 21:35:37 ansible pkg: py27-ploy_ec2 upgraded: 1.1.0 -> 1.1.1 Mar 3 21:35:37 ansible pkg: py27-ploy_ansible upgraded: 1.2.2 -> 1.2.4 My thanks to fschulze for the work and for koobs for committing it to the ports tree. After fixing the server so sudo auth via ssh-agent worked, I ran: ploy configure -vvv tallboy-jailhost It terminated with: TASK: [jails_host | Setup data zpool] *****************************************
geli=False version=28 name=tank devices= raid_mode=detect
u'/bin/sh -c \'sudo -k && sudo -H -S -p "[sudo via ansible, key=kpbwbaexlbscczsbrscvimipwzwtnbrw]
password: " -u root /bin/sh -c \'"\'"\'echo SUDO-SUCCESS-kpbwbaexlbscczsbrscvimipwzwtnbrw;
LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/local/bin/python2.7
/usr/home/THEUSER/.ansible/tmp/ansible-tmp-1425421116.71-115795154719892/zpool; rm -rf
/usr/home/THEUSER/.ansible/tmp/ansible-tmp-1425421116.71-115795154719892/ >/dev/null 2>&1\'"\'"\'\''
failed: [tallboy-jailhost] => {"failed": true}
msg: Don't know how to handle 0 number of devices ().
FATAL: all hosts have already failed -- aborting
I have: $ pkg info ezjail-3.4.1 Framework to easily create, manipulate, and run FreeBSD jails gettext-runtime-0.19.4 GNU gettext runtime libraries and programs indexinfo-0.2.2 Utility to regenerate the GNU info page index libffi-3.2.1 Foreign Function Interface pam_ssh_agent_auth-0.10.2 PAM module which permits authentication via ssh-agent perl5-5.18.4_11 Practical Extraction and Report Language pkg-1.4.12 Package manager python-2.7_2,2 The "meta-port" for the default version of Python interpreter python2-2_3 The "meta-port" for version 2 of the Python interpreter python27-2.7.9 Interpreted object-oriented programming language sudo-1.8.12 Allow others to run commands as root $ Configuration is: # cat etc/ploy.conf [plain-instance:tallboy] host = tallboy user = REDACTED fingerprint = REDACTED ansible_sudo = true [ez-master:tallboy-jailhost] ssh-extra-args = forwardagent yes instance = tallboy roles = jails_host sudo = true And: $ zfs list NAME USED AVAIL REFER MOUNTPOINT system 1.59G 436G 96K /system system/bootenv 1.05G 436G 96K none system/bootenv/default 1.05G 436G 928M / system/tmp 150M 436G 150M /tmp system/usr 169M 436G 96K /usr system/usr/home 812K 436G 732K /usr/home system/usr/local 168M 436G 158M /usr/local system/usr/obj 96K 436G 96K /usr/obj system/usr/ports 288K 436G 96K /usr/ports system/usr/ports/distfiles 96K 436G 96K /usr/ports/distfiles system/usr/ports/packages 96K 436G 96K /usr/ports/packages system/usr/src 96K 436G 96K /usr/src system/var 234M 436G 27.6M /var system/var/crash 96K 436G 96K /var/crash system/var/db 205M 436G 153M /var/db system/var/db/pkg 51.2M 436G 26.4M /var/db/pkg system/var/empty 96K 436G 96K /var/empty system/var/log 412K 436G 308K /var/log system/var/mail 308K 436G 244K /var/mail system/var/run 412K 436G 228K /var/run system/var/tmp 160K 436G 96K /var/tmp $ zpool list NAME SIZE ALLOC FREE FRAG EXPANDSZ CAP DEDUP HEALTH ALTROOT system 452G 1.59G 450G 0% - 0% 1.00x ONLINE - $ |
|
That message comes up when there are no devices detected at /dev/gpt. You normally would have to set It looks like you have the whole disk for |
|
You may also have to adjust |
|
Does this confirm your theories: $ gpart show
=> 34 976773101 ada0 GPT (466G)
34 6 - free - (3.0K)
40 1024 1 freebsd-boot (512K)
1064 984 - free - (492K)
2048 16777216 2 freebsd-swap (8.0G)
16779264 954204160 3 freebsd-zfs (455G)
970983424 5789711 - free - (2.8G)
=> 34 976773101 ada1 GPT (466G)
34 6 - free - (3.0K)
40 1024 1 freebsd-boot (512K)
1064 984 - free - (492K)
2048 16777216 2 freebsd-swap (8.0G)
16779264 954204160 3 freebsd-zfs (455G)
970983424 5789711 - free - (2.8G)
$
|
|
Progress: TASK: [jails_host | Initialize ezjail (may take a while)] *********************
failed: [tallboy-jailhost] => {"changed": true, "cmd": ["ezjail-admin", "install", "-h", "ftp.freebsd.org", "-r", "10.1-RELEASE-p5"], "delta": "0:00:01.576269", "end": "2015-03-04 00:30:41.451221", "rc": 1, "start": "2015-03-04 00:30:39.874952", "warnings": []}
stderr: fetch: ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/10.1-RELEASE-p5/base.txz: File unavailable (e.g., file not found, no access)
fetch: ftp://ftp.freebsd.org/pub/FreeBSD/snapshot/amd64/amd64/10.1-RELEASE-p5/base.txz: File unavailable (e.g., file not found, no access)
fetch: ftp://ftp.freebsd.org/pub/FreeBSD/amd64/amd64/10.1-RELEASE-p5/base.txz: File unavailable (e.g., file not found, no access)
fetch: ftp://ftp.freebsd.org/releases/amd64/amd64/10.1-RELEASE-p5/base.txz: File unavailable (e.g., file not found, no access)
fetch: ftp://ftp.freebsd.org/snapshots/amd64/amd64/10.1-RELEASE-p5/base.txz: File unavailable (e.g., file not found, no access)
fetch: ftp://ftp.freebsd.org/pub/FreeBSD-Archive/old-releases/amd64/amd64/10.1-RELEASE-p5/base.txz: File unavailable (e.g., file not found, no access)
Could not fetch base from ftp://ftp.freebsd.org.
Maybe your release (10.1-RELEASE-p5) is specified incorrectly or the host ftp.freebsd.org does not provide that release build.
Use the -r option to specify an existing release or the -h option to specify an alternative ftp server.
stdout: Querying your ftp-server... The ftp server you specified (ftp.freebsd.org) seems to provide the following builds:
lrwxr-xr-x 1 ftp ftp 18 Jan 17 2014 10.0-RELEASE -> amd64/10.0-RELEASE
lrwxr-xr-x 1 ftp ftp 18 Nov 12 05:56 10.1-RELEASE -> amd64/10.1-RELEASE
drwxrwxr-x 14 ftp ftp 26 Jun 20 2013 8.4-RELEASE
lrwxr-xr-x 1 ftp ftp 17 Jan 16 2013 9.1-RELEASE -> amd64/9.1-RELEASE
lrwxr-xr-x 1 ftp ftp 17 Sep 30 2013 9.2-RELEASE -> amd64/9.2-RELEASE
lrwxr-xr-x 1 ftp ftp 17 Jul 11 2014 9.3-RELEASE -> amd64/9.3-RELEASE
drwxrwxr-x 3 ftp ftp 5 Jul 02 2014 ISO-IMAGES
-rw-rw-r-- 1 ftp ftp 637 Nov 23 2005 README.TXT
drwxrwxr-x 8 ftp ftp 9 Jan 26 16:00 amd64
FATAL: all hosts have already failed -- aborting
[root@ansible:/usr/local/etc/bsdploy] #
The problem is the version. ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/10.1-RELEASE-p5/base.txz should be: ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/10.1-RELEASE/base.txz i.e. -p5 should not be present. Perhaps the code is using uname -r instead of ... something else? |
|
it is - but only as default. to override it, explicitly set the version in |
|
FTR i've been bitten by this more than once now... perhaps we should either nudge @erdgeist to make ezjail more intelligent in this regard or work around it ourselves... |
|
ezjail uses freebsd-update for this I think. |
|
Next issue: TASK: [jails_host | copy some settings from host to bsdploy_base flavour] *****
changed: [tallboy-jailhost] => (item={'dest': '/usr/jails/flavours/bsdploy_base/etc/resolv.conf', 'src': '/etc/resolv.conf'})
failed: [tallboy-jailhost] => (item={'dest': '/usr/jails/flavours/bsdploy_base/root/.ssh/authorized_keys', 'src': '/root/.ssh/authorized_keys'}) => {"changed": false, "cmd": "cmp -s /root/.ssh/authorized_keys /usr/jails/flavours/bsdploy_base/root/.ssh/authorized_keys || cp -v /root/.ssh/authorized_keys /usr/jails/flavours/bsdploy_base/root/.ssh/authorized_keys", "delta": "0:00:00.071377", "end": "2015-03-04 01:02:29.400778", "item": {"dest": "/usr/jails/flavours/bsdploy_base/root/.ssh/authorized_keys", "src": "/root/.ssh/authorized_keys"}, "rc": 1, "start": "2015-03-04 01:02:29.329401", "stdout_lines": [], "warnings": []}
stderr: cp: /root/.ssh/authorized_keys: No such file or directory
FATAL: all hosts have already failed -- aborting
I think root should be the user specified in etc/ploy.conf |
|
you're right. you found a bug :) question is: how to fix it? since in your configuration you only specifiy the name of the user but here we need to know where that user's homedirectory is, we could try using could you try modifying |
|
Do you mean /usr/local/lib/python2.7/site-packages/bsdploy/roles/jails_host ? I ask because line 147 is blank. But this is around line 199: - name: copy some settings from host to bsdploy_base flavour
shell: cmp -s {{ item.src }} {{ item.dest }} || cp -v {{ item.src }} {{ item.dest }}
register: _cp_settings_result
changed_when: _cp_settings_result.stdout|default() != ''
with_items:
- { src: "/etc/resolv.conf", dest: "/usr/jails/flavours/bsdploy_base/etc/resolv.conf" }
- { src: "$HOME/.ssh/authorized_keys", dest: "/usr/jails/flavours/bsdploy_base/$HOME/.ssh/authorized_keys" }
But there is still a root somewhere: TASK: [jails_host | copy some settings from host to bsdploy_base flavour] *****
ok: [tallboy-jailhost] => (item={'dest': '/usr/jails/flavours/bsdploy_base/etc/resolv.conf', 'src': '/etc/resolv.conf'})
failed: [tallboy-jailhost] => (item={'dest': '/usr/jails/flavours/bsdploy_base/$HOME/.ssh/authorized_keys', 'src': '$HOME/.ssh/authorized_keys'}) => {"changed": false, "cmd": "cmp -s $HOME/.ssh/authorized_keys /usr/jails/flavours/bsdploy_base/$HOME/.ssh/authorized_keys || cp -v $HOME/.ssh/authorized_keys /usr/jails/flavours/bsdploy_base/$HOME/.ssh/authorized_keys", "delta": "0:00:00.071264", "end": "2015-03-04 01:24:05.694122", "item": {"dest": "/usr/jails/flavours/bsdploy_base/$HOME/.ssh/authorized_keys", "src": "$HOME/.ssh/authorized_keys"}, "rc": 1, "start": "2015-03-04 01:24:05.622858", "stdout_lines": [], "warnings": []}
stderr: cp: /root/.ssh/authorized_keys: No such file or directory
FATAL: all hosts have already failed -- aborting
|
|
If I hardcode that line: - { src: "/usr/home/THEUSER/.ssh/authorized_keys", dest: "/usr/jails/flavours/bsdploy_base/usr/home/THEUSER/.ssh/authorized_keys" }
We get this: TASK: [jails_host | copy some settings from host to bsdploy_base flavour] *****
ok: [tallboy-jailhost] => (item={'dest': '/usr/jails/flavours/bsdploy_base/etc/resolv.conf', 'src': '/etc/resolv.conf'})
failed: [tallboy-jailhost] => (item={'dest': '/usr/jails/flavours/bsdploy_base/usr/home/THEUSER/.ssh/authorized_keys', 'src': '/usr/home/THEUSER/.ssh/authorized_keys'}) => {"changed": false, "cmd": "cmp -s /usr/home/THEUSER/.ssh/authorized_keys /usr/jails/flavours/bsdploy_base/usr/home/THEUSER/.ssh/authorized_keys || cp -v /usr/home/THEUSER/.ssh/authorized_keys /usr/jails/flavours/bsdploy_base/usr/home/THEUSER/.ssh/authorized_keys", "delta": "0:00:00.072090", "end": "2015-03-04 01:32:58.871329", "item": {"dest": "/usr/jails/flavours/bsdploy_base/usr/home/THEUSER/.ssh/authorized_keys", "src": "/usr/home/THEUSER/.ssh/authorized_keys"}, "rc": 1, "start": "2015-03-04 01:32:58.799239", "stdout_lines": [], "warnings": []}
stderr: cp: /usr/jails/flavours/bsdploy_base/usr/home/THEUSER/.ssh/authorized_keys: No such file or directory
FATAL: all hosts have already failed -- aborting
|
|
looks like you need to create the intermediate directories, too. |
|
Yeah... but shouldn't the script be doing that? |
|
I did this: $ sudo mkdir -p /usr/jails/flavours/bsdploy_base/usr/home/THEUSER/.ssh $ sudo chown -R THEUSER:THEUSER /usr/jails/flavours/bsdploy_base/usr/home/THEUSER/ Then configure ran to completion: TASK: [jails_host | copy some settings from host to bsdploy_base flavour] *****
ok: [tallboy-jailhost] => (item={'dest': '/usr/jails/flavours/bsdploy_base/etc/resolv.conf', 'src': '/etc/resolv.conf'})
changed: [tallboy-jailhost] => (item={'dest': '/usr/jails/flavours/bsdploy_base/usr/home/THEUSER/.ssh/authorized_keys', 'src': '/usr/home/THEUSER/.ssh/authorized_keys'})
|
|
ok, great. tomorrow i'll try to fix this properly unless @fschulze beats me to it :) |
|
Very happy to be finding bugs for y'all. |
tomster
added a commit
to tomster/bsdploy
that referenced
this issue
Mar 4, 2015
|
@dlangille i've pushed a fix in #62 but wasn't able to test here locally just now. are you able to install that branch from git and test it? that would be a great help |
|
Trying to install: # make .... Getting required 'ploy<2dev,>=1.0.0' required by ploy-ec2 1.1.2.dev0. We have a develop egg: ploy 1.1.1.dev0 Getting required 'setuptools' required by ploy 1.1.1.dev0. required by ploy-virtualbox 1.1.1.dev0. required by ploy-ec2 1.1.2.dev0. required by bsdploy 2.0.dev0. We have a develop egg: setuptools 12.0.5 Adding find link 'https://pypi.python.org/packages/source/c/certifi/certifi-1.0.1.tar.gz#md5=45f5cb94b8af9e1df0f9450a8f61b790' from setuptools 12.0.5 Adding find link 'https://pypi.python.org/packages/source/w/wincertstore/wincertstore-0.2.zip#md5=ae728f2f007185648d0c7a8679b361e2' from setuptools 12.0.5 Getting required 'readline' We have no distributions for readline that satisfies 'readline'. Getting distribution for 'readline'. Running easy_install: "/usr/home/dan/src/bsdploy/bin/python2.7" "-c" "from setuptools.command.easy_install import main; main()" "-mZUNxd" "/usr/home/dan/src/bsdploy/eggs/tmp7gqXAw" "-q" "/tmp/tmpDw2YfEget_dist/readline-6.2.4.1.tar.gz" path=/usr/home/dan/src/bsdploy/lib/python2.7/site-packages cc: readline/libreadline.a: No such file or directory cc: readline/libhistory.a: No such file or directory error: Setup script exited with error: command 'cc' failed with exit status 1 An error occurred when trying to install readline 6.2.4.1. Look above this message for any errors that were output by easy_install. While: Installing bsdploy. Getting distribution for 'readline'. Error: Couldn't install: readline 6.2.4.1 **\* [.installed.cfg] Error code 1 Stop in /usr/home/dan/src/bsdploy. [root@ansible:/usr/home/dan/src/bsdploy] # <.pre> |
|
ok, looks like you're missing dependencies to build from source. i think it's probably best if we leave it at that and i'll create a non-root based test here before we merge that feature. thanks for trying! |
|
this issue has been elevated to a pull request (#65) |
tomster
added a commit
that referenced
this issue
Mar 5, 2015
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I want to ssh as non-root. This user is in the wheel group and does sudo auth via ssh agent. See http://blather.michaelwlucas.com/archives/1106
I want commands run on the host to be invoked with sudo
I want ssh to the host to be invoked with: ssh -A
At present, I have this:
/root/.ssh/config contains
But:
The text was updated successfully, but these errors were encountered: