trying to copy id_rsa.pub for a user (rke) on my ansible controller to authorized_keys on remote hosts
I am running ansible playbook as user ansible since ansible user cannt access /home/rke/.ssh, it cannot lookup the pub key I tried elevating privileges on lookup tasks and cannot do it On Fri, Jul 22, 2022 at 11:12 AM John Petro <[email protected]> wrote: > I am sure you have mentioned this before, so forgive me if it's a repeat. > I couldn't find the email in my inbox. What is it you are trying to do > again? > > On Fri, Jul 22, 2022 at 2:07 PM Tony Wong <[email protected]> wrote: > >> >> trying to do this another way >> >> - name: copy id_rsa.pub to tmp for reading on localhost >> ansible.builtin.shell: >> cmd: "{{ command2 }}" >> register: shell_output >> become: true >> delegate_to: localhost >> >> >> where command2 is 'cp /home/rke/.ssh/id_rsa.pub /tmp' >> >> I am trying to run this only on the ansible controller (localhost) >> >> but it looks like its trying to run on remote nodes >> >> >> fatal: [k8node02 -> localhost]: FAILED! => {"changed": false, "msg": >> "Unsupported parameters for (command) module: cmd Supported parameters >> include: _raw_params, _uses_shell, argv, chdir, creates, executable, >> removes, stdin, stdin_add_newline, strip_empty_ends, warn"} >> fatal: [k8master -> localhost]: FAILED! => {"changed": false, "msg": >> "Unsupported parameters for (command) module: cmd Supported parameters >> include: _raw_params, _uses_shell, argv, chdir, creates, executable, >> removes, stdin, stdin_add_newline, strip_empty_ends, warn"} >> fatal: [k8node01 -> localhost]: FAILED! => {"changed": false, "msg": >> "Unsupported parameters for (command) module: cmd Supported parameters >> include: _raw_params, _uses_shell, argv, chdir, creates, executable, >> removes, stdin, stdin_add_newline, strip_empty_ends, warn"} >> >> >> any idea? >> On Thursday, July 21, 2022 at 9:42:44 AM UTC-7 Tony Wong wrote: >> >>> do you mean something like this? >>> >>> >>> --- >>> # tasks file for createuser >>> - include_vars: >>> dir: vars >>> >>> >>> >>> >>> *- name: Get id_rsa.pub from localhost set_fact: auth_key: "{{ >>> lookup('file', '/home/rke/.ssh/id_rsa.pub')}}" delegate_to: localhost* >>> >>> - name: create user rke >>> ansible.builtin.user: >>> name: '{{ username }}' >>> shell: '{{ shell }}' >>> generate_ssh_key: yes >>> create_home: yes >>> groups: [ "{{ group1 }}", "{{ group2 }}" ] >>> append: yes >>> ssh_key_file: .ssh/id_rsa >>> become: true >>> >>> - name: Make sure we have a 'wheel' group >>> group: >>> name: wheel >>> state: present >>> >>> - name: Allow 'wheel' group to have passwordless sudo >>> lineinfile: >>> dest: /etc/sudoers >>> state: present >>> regexp: '^%wheel' >>> line: '%wheel ALL=(ALL) NOPASSWD: ALL' >>> validate: 'visudo -cf %s' >>> >>> >>> - name: Setup authkeys for user rke >>> become: true >>> >>> authorized_key: >>> user: '{{ username }}' >>> state: present >>> key: auth_key >>> >>> >>> >>> On Thu, Jul 21, 2022 at 7:48 AM Dick Visser <[email protected]> wrote: >>> >>>> On Thu, 21 Jul 2022 at 16:32, Tony Wong <[email protected]> wrote: >>>> > >>>> > yes it does, but the user (ansible) i am running the playbook with >>>> even though it has sudo rights and in root group cant access that folder. >>>> >>>> >>>> Your authorized_keys task is run on the remote host, but using the >>>> lookup/file plugin in one of the arguments doesn't allow for privilege >>>> escalation locally. >>>> I think for fetching the materials, you should have an initial >>>> set_fact task with delegate_to=localhost and set become=true on that. >>>> >>>> (not verified) >>>> >>>> >>>> >>>> > i tried to copy the id_rsa.pub to /tmp and it works >>>> > >>>> > On Thu, Jul 21, 2022 at 7:10 AM John Petro <[email protected]> >>>> wrote: >>>> >> >>>> >> Does /home/rke/.ssh/id_pub.rsa exist on the host you are running the >>>> ansible playbook from? Also, what happens if you try to do a ls on that >>>> directory as the user that is executing the ansible playbook, are you >>>> getting any errors? >>>> >> >>>> >> On Thu, Jul 21, 2022 at 9:09 AM Tony Wong <[email protected]> wrote: >>>> >>> >>>> >>> [WARNING]: Unable to find '/home/rke/.ssh/id_pub.rsa' in expected >>>> paths (use -vvvvv to see paths) >>>> >>> fatal: [k8master]: FAILED! => {"msg": "An unhandled exception >>>> occurred while running the lookup plugin 'file'. Error was a <class >>>> 'ansible.errors.AnsibleError'>, original message: could not locate file in >>>> lookup: /home/rke/.ssh/id_pub.rsa"} >>>> >>> [WARNING]: Unable to find '/home/rke/.ssh/id_pub.rsa' in expected >>>> paths (use -vvvvv to see paths) >>>> >>> fatal: [k8node01]: FAILED! => {"msg": "An unhandled exception >>>> occurred while running the lookup plugin 'file'. Error was a <class >>>> 'ansible.errors.AnsibleError'>, original message: could not locate file in >>>> lookup: /home/rke/.ssh/id_pub.rsa"} >>>> >>> [WARNING]: Unable to find '/home/rke/.ssh/id_pub.rsa' in expected >>>> paths (use -vvvvv to see paths) >>>> >>> fatal: [k8node02]: FAILED! => {"msg": "An unhandled exception >>>> occurred while running the lookup plugin 'file'. Error was a <class >>>> 'ansible.errors.AnsibleError'>, original message: could not locate file in >>>> lookup: /home/rke/.ssh/id_pub.rsa"} >>>> >>> >>>> >>> On Thu, Jul 21, 2022 at 5:32 AM Tony Wong <[email protected]> >>>> wrote: >>>> >>>> >>>> >>>> how do i access to lookup the id_rsa.pub file? The user running >>>> ansible playbook has sudo rights on the controller >>>> >>>> >>>> >>>> On Wed, Jul 20, 2022 at 4:31 PM Todd Lewis <[email protected]> >>>> wrote: >>>> >>>>> >>>> >>>>> It would have root access — on the target machine, but not on the >>>> Ansible controller. >>>> >>>>> >>>> >>>>> On Wednesday, July 20, 2022 at 6:24:24 PM UTC-4 [email protected] >>>> wrote: >>>> >>>>>> >>>> >>>>>> But I used become: in my main.yml >>>> >>>>>> >>>> >>>>>> Would that have root access? >>>> >>>>> >>>> >>>>> -- >>>> >>>>> You received this message because you are subscribed to a topic >>>> in the Google Groups "Ansible Project" group. >>>> >>>>> To unsubscribe from this topic, visit >>>> https://groups.google.com/d/topic/ansible-project/gkaigHAiAC0/unsubscribe >>>> . >>>> >>>>> To unsubscribe from this group and all its topics, send an email >>>> to [email protected]. >>>> >>>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/ansible-project/420506bd-39ce-4cc5-b6c5-58a65b3a3e3bn%40googlegroups.com >>>> . >>>> >>> >>>> >>> -- >>>> >>> You received this message because you are subscribed to the Google >>>> Groups "Ansible Project" group. >>>> >>> To unsubscribe from this group and stop receiving emails from it, >>>> send an email to [email protected]. >>>> >>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/ansible-project/CALmkhkohoHcMf3KBDbprOgPPZkyQTvALAyH%2Bov%2Bnr_OcCz1koA%40mail.gmail.com >>>> . >>>> >> >>>> >> -- >>>> >> You received this message because you are subscribed to a topic in >>>> the Google Groups "Ansible Project" group. >>>> >> To unsubscribe from this topic, visit >>>> https://groups.google.com/d/topic/ansible-project/gkaigHAiAC0/unsubscribe >>>> . >>>> >> To unsubscribe from this group and all its topics, send an email to >>>> [email protected]. >>>> >> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/ansible-project/CAPAjob8Kz3CmwXpnREAMYW_omF0J5HuEz5UtMACrSG7sMnSitw%40mail.gmail.com >>>> . >>>> > >>>> > -- >>>> > You received this message because you are subscribed to the Google >>>> Groups "Ansible Project" group. >>>> > To unsubscribe from this group and stop receiving emails from it, >>>> send an email to [email protected]. >>>> > To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/ansible-project/CALmkhkq3tKEwQ8nSBT4Nu1kwCp%2BZAYVrYvozUQ5MFLTMkL_yNQ%40mail.gmail.com >>>> . >>>> >>>> -- >>>> You received this message because you are subscribed to a topic in the >>>> Google Groups "Ansible Project" group. >>>> To unsubscribe from this topic, visit >>>> https://groups.google.com/d/topic/ansible-project/gkaigHAiAC0/unsubscribe >>>> . >>>> To unsubscribe from this group and all its topics, send an email to >>>> [email protected]. >>>> >>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/ansible-project/CAF8BbLZVQZ5qdJSLjnxHoTirc9rzPqtUuLHEd52Bg2tAYUEbeg%40mail.gmail.com >>>> . >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/d6400248-2fb3-4ef8-bd7a-e897650f7a3fn%40googlegroups.com >> <https://groups.google.com/d/msgid/ansible-project/d6400248-2fb3-4ef8-bd7a-e897650f7a3fn%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to a topic in the > Google Groups "Ansible Project" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ansible-project/gkaigHAiAC0/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CAPAjob_vVDzNa_PuEECXDLjCb8532qFTDNwzjzYPBgStfr%2B4%2Bw%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-project/CAPAjob_vVDzNa_PuEECXDLjCb8532qFTDNwzjzYPBgStfr%2B4%2Bw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CALmkhkpreazuMPR34At7PX_U3Pgwiho41N5TGGqaMyV1UCopjA%40mail.gmail.com.
