ssh as non-root

[dlangille]

I want to ssh as non-root. This user is in the wheel group and does sudo auth via ssh agent. See http://blather.michaelwlucas.com/archives/1106

I want commands run on the host to be invoked with sudo

I want ssh to the host to be invoked with: ssh -A

At present, I have this:

[plain-instance:tallboy]
host        = tallboy.example.org
user        = REDACTED
fingerprint = REDACTED

[ez-master:tallboy-jailhost]
instance = tallboy
roles    = jails_host
sudo     = true

/root/.ssh/config contains

Host tallboy.example.org
  Hostname     tallboy.example.org
  ForwardAgent yes

But:

[root@ansible:/usr/local/etc/bsdploy] # ploy configure tallboy-jailhost

PLAY [tallboy-jailhost] ******************************************************* 

GATHERING FACTS *************************************************************** 
fatal: [tallboy-jailhost] => Authentication or permission failure.  In some cases, you may have been able to authenticate and did not have permissions on the remote directory. Consider changing the remote temp path in ansible.cfg to a path rooted in "/tmp". Failed command was: mkdir -p $HOME/.ansible/tmp/ansible-tmp-1424378947.15-112924443990356 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1424378947.15-112924443990356 && echo $HOME/.ansible/tmp/ansible-tmp-1424378947.15-112924443990356, exited with result 1

TASK: [jails_host | bind host sshd to primary ip] ***************************** 
FATAL: no hosts matched or all hosts have already failed -- aborting

[root@ansible:/usr/local/etc/bsdploy] # 

[fschulze]

Could you please post how you setup sudo in the playbook? Though it looks like it either can't connect to tallboy-jailhost at all or it doesn't have permission to create the file in $HOME/.ansible. Could you try with -vvv to see what ansible is doing exactly?

[dlangille]

Here is my ansible.cfg:

[defaults]
remote_user=my-non-root-user
roles_path = /usr/local/etc/asible/roles
[ssh_connection]
ssh_args=-o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes

[dlangille]

For those following, several ports were upgraded offline:

Mar  3 21:35:37 ansible pkg: py27-ploy upgraded: 1.0.3 -> 1.1.0 
Mar  3 21:35:37 ansible pkg: py27-ploy_ec2 upgraded: 1.1.0 -> 1.1.1 
Mar  3 21:35:37 ansible pkg: py27-ploy_ansible upgraded: 1.2.2 -> 1.2.4

My thanks to fschulze for the work and for koobs for committing it to the ports tree.

After fixing the server so sudo auth via ssh-agent worked, I ran:

ploy configure -vvv tallboy-jailhost

It terminated with:

TASK: [jails_host | Setup data zpool] ***************************************** 
 geli=False version=28 name=tank devices= raid_mode=detect
u'/bin/sh -c \'sudo -k && sudo -H -S -p "[sudo via ansible, key=kpbwbaexlbscczsbrscvimipwzwtnbrw] 
password: " -u root /bin/sh -c \'"\'"\'echo SUDO-SUCCESS-kpbwbaexlbscczsbrscvimipwzwtnbrw; 
LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/local/bin/python2.7 
/usr/home/THEUSER/.ansible/tmp/ansible-tmp-1425421116.71-115795154719892/zpool; rm -rf 
/usr/home/THEUSER/.ansible/tmp/ansible-tmp-1425421116.71-115795154719892/ >/dev/null 2>&1\'"\'"\'\''
failed: [tallboy-jailhost] => {"failed": true}
msg: Don't know how to handle 0 number of devices ().
FATAL: all hosts have already failed -- aborting

I have:

$ pkg info
ezjail-3.4.1                   Framework to easily create, manipulate, and run FreeBSD jails
gettext-runtime-0.19.4         GNU gettext runtime libraries and programs
indexinfo-0.2.2                Utility to regenerate the GNU info page index
libffi-3.2.1                   Foreign Function Interface
pam_ssh_agent_auth-0.10.2      PAM module which permits authentication via ssh-agent
perl5-5.18.4_11                Practical Extraction and Report Language
pkg-1.4.12                     Package manager
python-2.7_2,2                 The "meta-port" for the default version of Python interpreter
python2-2_3                    The "meta-port" for version 2 of the Python interpreter
python27-2.7.9                 Interpreted object-oriented programming language
sudo-1.8.12                    Allow others to run commands as root
$ 

Configuration is:

# cat etc/ploy.conf
[plain-instance:tallboy]
host        = tallboy
user        = REDACTED
fingerprint = REDACTED
ansible_sudo = true
[ez-master:tallboy-jailhost]
ssh-extra-args = forwardagent yes
instance       = tallboy
roles          = jails_host
sudo           = true

And:

$ zfs list
NAME                         USED  AVAIL  REFER  MOUNTPOINT
system                      1.59G   436G    96K  /system
system/bootenv              1.05G   436G    96K  none
system/bootenv/default      1.05G   436G   928M  /
system/tmp                   150M   436G   150M  /tmp
system/usr                   169M   436G    96K  /usr
system/usr/home              812K   436G   732K  /usr/home
system/usr/local             168M   436G   158M  /usr/local
system/usr/obj                96K   436G    96K  /usr/obj
system/usr/ports             288K   436G    96K  /usr/ports
system/usr/ports/distfiles    96K   436G    96K  /usr/ports/distfiles
system/usr/ports/packages     96K   436G    96K  /usr/ports/packages
system/usr/src                96K   436G    96K  /usr/src
system/var                   234M   436G  27.6M  /var
system/var/crash              96K   436G    96K  /var/crash
system/var/db                205M   436G   153M  /var/db
system/var/db/pkg           51.2M   436G  26.4M  /var/db/pkg
system/var/empty              96K   436G    96K  /var/empty
system/var/log               412K   436G   308K  /var/log
system/var/mail              308K   436G   244K  /var/mail
system/var/run               412K   436G   228K  /var/run
system/var/tmp               160K   436G    96K  /var/tmp
$ zpool list
NAME     SIZE  ALLOC   FREE   FRAG  EXPANDSZ    CAP  DEDUP  HEALTH  ALTROOT
system   452G  1.59G   450G     0%         -     0%  1.00x  ONLINE  -
$ 

[fschulze]

That message comes up when there are no devices detected at /dev/gpt. You normally would have to set ploy_bootstrap_data_pool_devices to the device(s) you want to use for the tank. But ...

It looks like you have the whole disk for system, so you probably want to set ploy_bootstrap_data_pool_name to system. You can do that in your ploy.conf in [ez-master:tallboy-jailhost] with bootstrap-data-pool-name = system.

[fschulze]

You may also have to adjust jails_zfs_root, as it's currently hardcoded to tank/jails instead of using the variable. In ploy.conf you do that with ansible-jails-zfs-root = system/jails.

[dlangille]

Does this confirm your theories:

$ gpart show
=>       34  976773101  ada0  GPT  (466G)
         34          6        - free -  (3.0K)
         40       1024     1  freebsd-boot  (512K)
       1064        984        - free -  (492K)
       2048   16777216     2  freebsd-swap  (8.0G)
   16779264  954204160     3  freebsd-zfs  (455G)
  970983424    5789711        - free -  (2.8G)
=>       34  976773101  ada1  GPT  (466G)
         34          6        - free -  (3.0K)
         40       1024     1  freebsd-boot  (512K)
       1064        984        - free -  (492K)
       2048   16777216     2  freebsd-swap  (8.0G)
   16779264  954204160     3  freebsd-zfs  (455G)
  970983424    5789711        - free -  (2.8G)
$ 

[dlangille]

Progress:

TASK: [jails_host | Initialize ezjail (may take a while)] ********************* 
failed: [tallboy-jailhost] => {"changed": true, "cmd": ["ezjail-admin", "install", "-h", "ftp.freebsd.org", "-r", "10.1-RELEASE-p5"], "delta": "0:00:01.576269", "end": "2015-03-04 00:30:41.451221", "rc": 1, "start": "2015-03-04 00:30:39.874952", "warnings": []}
stderr: fetch: ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/10.1-RELEASE-p5/base.txz: File unavailable (e.g., file not found, no access)
fetch: ftp://ftp.freebsd.org/pub/FreeBSD/snapshot/amd64/amd64/10.1-RELEASE-p5/base.txz: File unavailable (e.g., file not found, no access)
fetch: ftp://ftp.freebsd.org/pub/FreeBSD/amd64/amd64/10.1-RELEASE-p5/base.txz: File unavailable (e.g., file not found, no access)
fetch: ftp://ftp.freebsd.org/releases/amd64/amd64/10.1-RELEASE-p5/base.txz: File unavailable (e.g., file not found, no access)
fetch: ftp://ftp.freebsd.org/snapshots/amd64/amd64/10.1-RELEASE-p5/base.txz: File unavailable (e.g., file not found, no access)
fetch: ftp://ftp.freebsd.org/pub/FreeBSD-Archive/old-releases/amd64/amd64/10.1-RELEASE-p5/base.txz: File unavailable (e.g., file not found, no access)
Could not fetch base from ftp://ftp.freebsd.org.
  Maybe your release (10.1-RELEASE-p5) is specified incorrectly or the host ftp.freebsd.org does not provide that release build.
  Use the -r option to specify an existing release or the -h option to specify an alternative ftp server.
stdout: Querying your ftp-server... The ftp server you specified (ftp.freebsd.org) seems to provide the following builds:
lrwxr-xr-x    1 ftp      ftp            18 Jan 17  2014 10.0-RELEASE -> amd64/10.0-RELEASE
lrwxr-xr-x    1 ftp      ftp            18 Nov 12 05:56 10.1-RELEASE -> amd64/10.1-RELEASE
drwxrwxr-x   14 ftp      ftp            26 Jun 20  2013 8.4-RELEASE
lrwxr-xr-x    1 ftp      ftp            17 Jan 16  2013 9.1-RELEASE -> amd64/9.1-RELEASE
lrwxr-xr-x    1 ftp      ftp            17 Sep 30  2013 9.2-RELEASE -> amd64/9.2-RELEASE
lrwxr-xr-x    1 ftp      ftp            17 Jul 11  2014 9.3-RELEASE -> amd64/9.3-RELEASE
drwxrwxr-x    3 ftp      ftp             5 Jul 02  2014 ISO-IMAGES
-rw-rw-r--    1 ftp      ftp           637 Nov 23  2005 README.TXT
drwxrwxr-x    8 ftp      ftp             9 Jan 26 16:00 amd64
FATAL: all hosts have already failed -- aborting
[root@ansible:/usr/local/etc/bsdploy] # 

The problem is the version.

ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/10.1-RELEASE-p5/base.txz

should be:

ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/10.1-RELEASE/base.txz

i.e. -p5 should not be present.

Perhaps the code is using uname -r instead of ... something else?

[tomster]

it is - but only as default. to override it, explicitly set the version in [ez-master:tallboy-jailhost]:

ezjail-install-release = 10.1-RELEASE

[tomster]

FTR i've been bitten by this more than once now... perhaps we should either nudge @erdgeist to make ezjail more intelligent in this regard or work around it ourselves...

[dlangille]

ezjail uses freebsd-update for this I think.

[dlangille]

Next issue:

TASK: [jails_host | copy some settings from host to bsdploy_base flavour] ***** 
changed: [tallboy-jailhost] => (item={'dest': '/usr/jails/flavours/bsdploy_base/etc/resolv.conf', 'src': '/etc/resolv.conf'})
failed: [tallboy-jailhost] => (item={'dest': '/usr/jails/flavours/bsdploy_base/root/.ssh/authorized_keys', 'src': '/root/.ssh/authorized_keys'}) => {"changed": false, "cmd": "cmp -s /root/.ssh/authorized_keys /usr/jails/flavours/bsdploy_base/root/.ssh/authorized_keys || cp -v /root/.ssh/authorized_keys /usr/jails/flavours/bsdploy_base/root/.ssh/authorized_keys", "delta": "0:00:00.071377", "end": "2015-03-04 01:02:29.400778", "item": {"dest": "/usr/jails/flavours/bsdploy_base/root/.ssh/authorized_keys", "src": "/root/.ssh/authorized_keys"}, "rc": 1, "start": "2015-03-04 01:02:29.329401", "stdout_lines": [], "warnings": []}
stderr: cp: /root/.ssh/authorized_keys: No such file or directory
FATAL: all hosts have already failed -- aborting

I think root should be the user specified in etc/ploy.conf

[tomster]

you're right. you found a bug :) question is: how to fix it? since in your configuration you only specifiy the name of the user but here we need to know where that user's homedirectory is, we could try using $HOME or ~ in the playbook...

could you try modifying roles/jails_host/tasks/main.yml (line 147) accordingly and report back?

[dlangille]

Do you mean /usr/local/lib/python2.7/site-packages/bsdploy/roles/jails_host ?

I ask because line 147 is blank. But this is around line 199:

- name: copy some settings from host to bsdploy_base flavour
  shell: cmp -s {{ item.src }} {{ item.dest }} || cp -v {{ item.src }} {{ item.dest }}
  register: _cp_settings_result
  changed_when: _cp_settings_result.stdout|default() != ''
  with_items:
    - { src: "/etc/resolv.conf", dest: "/usr/jails/flavours/bsdploy_base/etc/resolv.conf" }
    - { src: "$HOME/.ssh/authorized_keys", dest: "/usr/jails/flavours/bsdploy_base/$HOME/.ssh/authorized_keys" }

But there is still a root somewhere:

TASK: [jails_host | copy some settings from host to bsdploy_base flavour] ***** 
ok: [tallboy-jailhost] => (item={'dest': '/usr/jails/flavours/bsdploy_base/etc/resolv.conf', 'src': '/etc/resolv.conf'})
failed: [tallboy-jailhost] => (item={'dest': '/usr/jails/flavours/bsdploy_base/$HOME/.ssh/authorized_keys', 'src': '$HOME/.ssh/authorized_keys'}) => {"changed": false, "cmd": "cmp -s $HOME/.ssh/authorized_keys /usr/jails/flavours/bsdploy_base/$HOME/.ssh/authorized_keys || cp -v $HOME/.ssh/authorized_keys /usr/jails/flavours/bsdploy_base/$HOME/.ssh/authorized_keys", "delta": "0:00:00.071264", "end": "2015-03-04 01:24:05.694122", "item": {"dest": "/usr/jails/flavours/bsdploy_base/$HOME/.ssh/authorized_keys", "src": "$HOME/.ssh/authorized_keys"}, "rc": 1, "start": "2015-03-04 01:24:05.622858", "stdout_lines": [], "warnings": []}
stderr: cp: /root/.ssh/authorized_keys: No such file or directory
FATAL: all hosts have already failed -- aborting

[dlangille]

If I hardcode that line:

   - { src: "/usr/home/THEUSER/.ssh/authorized_keys", dest: "/usr/jails/flavours/bsdploy_base/usr/home/THEUSER/.ssh/authorized_keys" }

We get this:

TASK: [jails_host | copy some settings from host to bsdploy_base flavour] ***** 
ok: [tallboy-jailhost] => (item={'dest': '/usr/jails/flavours/bsdploy_base/etc/resolv.conf', 'src': '/etc/resolv.conf'})
failed: [tallboy-jailhost] => (item={'dest': '/usr/jails/flavours/bsdploy_base/usr/home/THEUSER/.ssh/authorized_keys', 'src': '/usr/home/THEUSER/.ssh/authorized_keys'}) => {"changed": false, "cmd": "cmp -s /usr/home/THEUSER/.ssh/authorized_keys /usr/jails/flavours/bsdploy_base/usr/home/THEUSER/.ssh/authorized_keys || cp -v /usr/home/THEUSER/.ssh/authorized_keys /usr/jails/flavours/bsdploy_base/usr/home/THEUSER/.ssh/authorized_keys", "delta": "0:00:00.072090", "end": "2015-03-04 01:32:58.871329", "item": {"dest": "/usr/jails/flavours/bsdploy_base/usr/home/THEUSER/.ssh/authorized_keys", "src": "/usr/home/THEUSER/.ssh/authorized_keys"}, "rc": 1, "start": "2015-03-04 01:32:58.799239", "stdout_lines": [], "warnings": []}
stderr: cp: /usr/jails/flavours/bsdploy_base/usr/home/THEUSER/.ssh/authorized_keys: No such file or directory
FATAL: all hosts have already failed -- aborting

[tomster]

looks like you need to create the intermediate directories, too.