I've been bashing at this since yesterday and have read around a lot and
tried lots of things. I figured it was time to try the list.
Basically I'm trying to create a playbook that will be used when
bootstrapping a fresh host. The root user is needed for the initial
bootstrap. After the on target steps, several other systems have to have
an action run on them authorizing the bootstrapped host, one of which is
puppet. Here is are some examples of what I tried.
---
- hosts: boxens
user: root
tasks:
- yum: name={{ item }} state=present
with_items: packages
- command: "puppet agent --noop --server={{ puppetmaster }}"
- command: "puppet cert sign {{ ansible_fqdn }}"
delegate_to: "{{ puppetmaster }}"
This fails because the auth to the puppetmaster would be using my standard
network credentials, not the pre-bootstrap root user.
So I tried simply breaking this into multiple plays
---
- hosts: boxens
user: root
tasks:
- yum: name={{ item }} state=present
with_items: packages
- command: "puppet agent --noop --server={{ puppetmaster }}"
- hosts: boxens
tasks:
- command: "puppet cert sign {{ ansible_fqdn }}"
delegate_to: "{{ puppetmaster }}"
Which fails because puppet hasnt actually run puppet, because it's cert
isnt signed, and so gather_facts doesn't work because it cant contact
newboxen using my regular credentials.
So... loop through the group?
---
- hosts: boxens
user: root
tasks:
- yum: name={{ item }} state=present
with_items: packages
- command: "puppet agent --noop --server={{ puppetmaster }}"
- hosts: puppetmaster
gather_facts: no
tasks:
- command: "puppet cert sign {{ item }}"
with_items: groups.boxens
Up until this step I've been running the task with a restricted host file
that only contained the new boxes. Since my puppetmaster would be in our
normal inventory files expanding the input to this quickly makes
groups.boxens pretty much every box... most of which are already signed. I
can do a 'creates' check against that, but it is still gonna try every one.
I've tried several other things, but all with more jank and less success
than the above. It seems like I'm missing something fairly obvious, but no
idea what. Any suggestions?
thanks in advance
greg
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CACB_2Gby7bCWWUWy1G1Hq22ZCUh-Er0MvUghW28fOy2gtSTwvw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
