Replies inline...
On Mon, Sep 8, 2014 at 6:10 PM, Romain Richard < [email protected]> wrote: > Hi, > > We have a playbook to manage SSH keys on our servers (we are not using > the authorized_key module because it appends users' keys without ever > deleting the old ones). > This is because it's only got the key to go with. This could be handled by having a previous task that copied a blank file over, provided you weren't logged in as that user. You could also keep a list of previous keys and use state=absent to remove those. I'm open to the idea of having a parameter like exclusive=yes that removes the other keys in the file. > For that we created a template to gather all the SSH keys based on the > different roles and groups, which is working fine except when using the > --check option. > When using that option, Ansible will show changes that are not going to > happen when the playbook is run without the option. > Some ansible modules don't fully understand check mode and will report "changed=True" automatically without running in check mode rather than risk making a change. This doesn't apply to authorized_key though, it *does* support check mode. Can we see the changed lines from your ansible playbook, as well as the output of ansible --version to confirm this is from those lines and a recent version of Ansible? Thanks! > > As an example: > > $ ansible-playbook keys.yml --limit somehost --check > [...] > somehost : ok=15 changed=4 unreachable=0 failed=0 > > $ ansible-playbook keys.yml --limit somehost > [...] > somehost : ok=15 changed=0 unreachable=0 failed=0 > > > The changes concern the authorized_key file (here 4 changes because the > playbook deploys 4 users). > Here's an extract of the output of the command when ran with the --diff > option: > > $ ansible-playbook keys.yml --limit somehost --check --diff > [...] > ___________________________________________________ > < TASK: keys | copy authorized key template to host > > --------------------------------------------------- > \ ^__^ > \ (oo)\_______ > (__)\ )\/\ > ||----w | > || || > > > --- before: ~root/.ssh/authorized_keys > +++ after: > /home/romain/workspace/it_ansible/roles/keys/templates/authorized_keys.j2 > @@ -0,0 +1,4 @@ > +ssh-rsa [...] > +ssh-rsa [...] > +ssh-rsa [...] > +ssh-rsa [...] > > changed: [somehost] > [...] > > The --check option is rendered useless since we can't trust it. > In this case it is showing that there would be additions from your template that are not in the original file, so it seems that it is returning accurately in this regard. Or is your assertion that the diff is *also* wrong? That seems somewhat unlikely, but somewhat resembles what may be an older bug in Ansible -- I could be wrong. Again, output of ansible --version would be helpful. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgx%2BD0jY9B3VJ08WwuoZTjv%3DA0aY81nZ9wrjg_vZYZ2gDw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
