glad to hear that you got it working. Now on to the next thing, right? hehe
--John On Fri, Jul 22, 2022, 6:20 PM Tony Wong <[email protected]> wrote: > ok finally got it working. Thanks all for your help > > --- > # tasks file for createuser > - include_vars: > dir: vars > > #- name: copy id_rsa.pub to tmp for reading > #ansible.builtin.shell: > # cmd: "{{ command2 }}" > #register: shell_output > #become: true > #delegate_to: localhost > > - name: read id_rsa.pub > slurp: > path: "{{ authorized_key }}" > become: yes > delegate_to: localhost > register: rke_pub_key > > - name: create user rke > ansible.builtin.user: > name: '{{ username }}' > shell: '{{ shell }}' > generate_ssh_key: yes > create_home: yes > groups: [ "{{ group1 }}", "{{ group2 }}" ] > append: yes > ssh_key_file: .ssh/id_rsa > become: true > > - name: Make sure we have a 'wheel' group > group: > name: wheel > state: present > > - name: Allow 'wheel' group to have passwordless sudo > lineinfile: > dest: /etc/sudoers > state: present > regexp: '^%wheel' > line: '%wheel ALL=(ALL) NOPASSWD: ALL' > validate: 'visudo -cf %s' > > - name: Setup authkeys for user rke > become: true > authorized_key: > user: '{{ username }}' > state: present > * key: "{{ rke_pub_key['content'] | b64decode }}"* > validate_certs: false > > On Fri, Jul 22, 2022 at 3:02 PM Tony Wong <[email protected]> wrote: > >> ok now getting different error >> >> >> >> ASK [rancherpocreplay : Setup authkeys for user rke] >> ************************************************************************************************************************ >> [WARNING]: The value {'content': >> 'c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCZ1FERjhsU2I2d01VZzNBaWwrd1I5ajZGTFViMzE1eWp4WkpFY0huQkV6a0lwNG5rZ2RqbVpiWHFUb3FwN0hGMkdydUI >> >> 0RnRzNldJMjFXQVhtSGFKekkyUXlJdHhPdjJ4R1VoVnFlTUM3MkIxZUJVaHNDNHlOZXh4VTZLN200MXVFTVJxVEFVR2wweFZZdWVrYk00S0dXWlpSMXhMWVFXcElWN1dPY2hYbklDcnl6TDNIYkdvL01weGxGTWxBVmdQcGp4dWVt >> >> VVNycnQ3c1VpanVBK09aTGNScTlzOVg5aHZkeGZ0YUdPNEhndlFvWmV0cEgvTnFySitZUENKMjRzSC9BM0hRcEhsYVhVemdYa2QzbUpIdzdBOFBzcExESjBmbHN6L2hqbWhnQmF6OWN1SmZaQUp1eWxsbUk3NXpRekFRRklFYUtMT >> >> 2RVRW5XQWR3a2F3N1FnWXZGbmZwODk3SVowYitXWlR5WmdZYzgvY295Vi8wb293L3VOMHB6bTl3L1k4VnlUWURxdk5ZSGJnem0rOFJTRmRKc25qOTdYU05OY3hWZXA4N2QwY2d2Tk5ERWU5dXVmdkl6eVBOZmh3Y2dvYlhTampzU3 >> g0b0tGc216eWlaWGFJVnZaYmRzYzk3Z3J5ZytWUXBmemYyRkhuanBrTExsYlMwclhhc3FQbmJCL2s9IGFuc2libGUtZ2VuZXJhdGVkIG9uIGs4Z3VpCg==', >> 'source': '/home/rke/.ssh/id_rsa.pub', 'changed': >> False, 'encoding': 'base64', 'failed': False} (type dict) in a string >> field was converted to u"{'content': >> 'c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCZ1FERjhsU2I2d01VZ >> >> zNBaWwrd1I5ajZGTFViMzE1eWp4WkpFY0huQkV6a0lwNG5rZ2RqbVpiWHFUb3FwN0hGMkdydUI0RnRzNldJMjFXQVhtSGFKekkyUXlJdHhPdjJ4R1VoVnFlTUM3MkIxZUJVaHNDNHlOZXh4VTZLN200MXVFTVJxVEFVR2wweFZZdW >> >> VrYk00S0dXWlpSMXhMWVFXcElWN1dPY2hYbklDcnl6TDNIYkdvL01weGxGTWxBVmdQcGp4dWVtVVNycnQ3c1VpanVBK09aTGNScTlzOVg5aHZkeGZ0YUdPNEhndlFvWmV0cEgvTnFySitZUENKMjRzSC9BM0hRcEhsYVhVemdYa2Q >> >> zbUpIdzdBOFBzcExESjBmbHN6L2hqbWhnQmF6OWN1SmZaQUp1eWxsbUk3NXpRekFRRklFYUtMT2RVRW5XQWR3a2F3N1FnWXZGbmZwODk3SVowYitXWlR5WmdZYzgvY295Vi8wb293L3VOMHB6bTl3L1k4VnlUWURxdk5ZSGJnem0r >> >> OFJTRmRKc25qOTdYU05OY3hWZXA4N2QwY2d2Tk5ERWU5dXVmdkl6eVBOZmh3Y2dvYlhTampzU3g0b0tGc216eWlaWGFJVnZaYmRzYzk3Z3J5ZytWUXBmemYyRkhuanBrTExsYlMwclhhc3FQbmJCL2s9IGFuc2libGUtZ2VuZXJhd >> GVkIG9uIGs4Z3VpCg==', 'source': '/home/rke/.ssh/id_rsa.pub', 'changed': >> False, 'encoding': 'base64', 'failed': False}" (type string). If this does >> not look like what you >> expect, quote the entire value to ensure it does not change. >> fatal: [k8node01]: FAILED! => {"changed": false, "msg": "invalid key >> specified: {'content': >> 'c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCZ1FERjhsU2I2d01VZzNBaWwrd1I5ajZGTFViMzE1eWp4WkpFY0huQkV6a0lwNG5rZ2RqbVpiWHFUb3FwN0hGMkdydUI0RnRzNldJMjFXQVhtSGFKekkyUXlJdHhPdjJ4R1VoVnFlTUM3MkIxZUJVaHNDNHlOZXh4VTZLN200MXVFTVJxVEFVR2wweFZZdWVrYk00S0dXWlpSMXhMWVFXcElWN1dPY2hYbklDcnl6TDNIYkdvL01weGxGTWxBVmdQcGp4dWVtVVNycnQ3c1VpanVBK09aTGNScTlzOVg5aHZkeGZ0YUdPNEhndlFvWmV0cEgvTnFySitZUENKMjRzSC9BM0hRcEhsYVhVemdYa2QzbUpIdzdBOFBzcExESjBmbHN6L2hqbWhnQmF6OWN1SmZaQUp1eWxsbUk3NXpRekFRRklFYUtMT2RVRW5XQWR3a2F3N1FnWXZGbmZwODk3SVowYitXWlR5WmdZYzgvY295Vi8wb293L3VOMHB6bTl3L1k4VnlUWURxdk5ZSGJnem0rOFJTRmRKc25qOTdYU05OY3hWZXA4N2QwY2d2Tk5ERWU5dXVmdkl6eVBOZmh3Y2dvYlhTampzU3g0b0tGc216eWlaWGFJVnZaYmRzYzk3Z3J5ZytWUXBmemYyRkhuanBrTExsYlMwclhhc3FQbmJCL2s9IGFuc2libGUtZ2VuZXJhdGVkIG9uIGs4Z3VpCg==', >> 'source': '/home/rke/.ssh/id_rsa.pub', 'changed': False, 'encoding': >> 'base64', 'failed': False}"} >> fatal: [k8node02]: FAILED! => {"changed": false, "msg": "invalid key >> specified: {'content': >> 'c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCZ1FERjhsU2I2d01VZzNBaWwrd1I5ajZGTFViMzE1eWp4WkpFY0huQkV6a0lwNG5rZ2RqbVpiWHFUb3FwN0hGMkdydUI0RnRzNldJMjFXQVhtSGFKekkyUXlJdHhPdjJ4R1VoVnFlTUM3MkIxZUJVaHNDNHlOZXh4VTZLN200MXVFTVJxVEFVR2wweFZZdWVrYk00S0dXWlpSMXhMWVFXcElWN1dPY2hYbklDcnl6TDNIYkdvL01weGxGTWxBVmdQcGp4dWVtVVNycnQ3c1VpanVBK09aTGNScTlzOVg5aHZkeGZ0YUdPNEhndlFvWmV0cEgvTnFySitZUENKMjRzSC9BM0hRcEhsYVhVemdYa2QzbUpIdzdBOFBzcExESjBmbHN6L2hqbWhnQmF6OWN1SmZaQUp1eWxsbUk3NXpRekFRRklFYUtMT2RVRW5XQWR3a2F3N1FnWXZGbmZwODk3SVowYitXWlR5WmdZYzgvY295Vi8wb293L3VOMHB6bTl3L1k4VnlUWURxdk5ZSGJnem0rOFJTRmRKc25qOTdYU05OY3hWZXA4N2QwY2d2Tk5ERWU5dXVmdkl6eVBOZmh3Y2dvYlhTampzU3g0b0tGc216eWlaWGFJVnZaYmRzYzk3Z3J5ZytWUXBmemYyRkhuanBrTExsYlMwclhhc3FQbmJCL2s9IGFuc2libGUtZ2VuZXJhdGVkIG9uIGs4Z3VpCg==', >> 'source': '/home/rke/.ssh/id_rsa.pub', 'changed': False, 'encoding': >> 'base64', 'failed': False}"} >> fatal: [k8master]: FAILED! => {"changed": false, "msg": "invalid key >> specified: {'content': >> 'c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCZ1FERjhsU2I2d01VZzNBaWwrd1I5ajZGTFViMzE1eWp4WkpFY0huQkV6a0lwNG5rZ2RqbVpiWHFUb3FwN0hGMkdydUI0RnRzNldJMjFXQVhtSGFKekkyUXlJdHhPdjJ4R1VoVnFlTUM3MkIxZUJVaHNDNHlOZXh4VTZLN200MXVFTVJxVEFVR2wweFZZdWVrYk00S0dXWlpSMXhMWVFXcElWN1dPY2hYbklDcnl6TDNIYkdvL01weGxGTWxBVmdQcGp4dWVtVVNycnQ3c1VpanVBK09aTGNScTlzOVg5aHZkeGZ0YUdPNEhndlFvWmV0cEgvTnFySitZUENKMjRzSC9BM0hRcEhsYVhVemdYa2QzbUpIdzdBOFBzcExESjBmbHN6L2hqbWhnQmF6OWN1SmZaQUp1eWxsbUk3NXpRekFRRklFYUtMT2RVRW5XQWR3a2F3N1FnWXZGbmZwODk3SVowYitXWlR5WmdZYzgvY295Vi8wb293L3VOMHB6bTl3L1k4VnlUWURxdk5ZSGJnem0rOFJTRmRKc25qOTdYU05OY3hWZXA4N2QwY2d2Tk5ERWU5dXVmdkl6eVBOZmh3Y2dvYlhTampzU3g0b0tGc216eWlaWGFJVnZaYmRzYzk3Z3J5ZytWUXBmemYyRkhuanBrTExsYlMwclhhc3FQbmJCL2s9IGFuc2libGUtZ2VuZXJhdGVkIG9uIGs4Z3VpCg==', >> 'source': '/home/rke/.ssh/id_rsa.pub', 'changed': False, 'encoding': >> 'base64', 'failed': False}"} >> >> I >> >> On Fri, Jul 22, 2022 at 1:28 PM Todd Lewis <[email protected]> wrote: >> >>> The error message is pretty clear: the command module doesn't have a >>> "cmd" parameter. (Then it helpfully lists the parameters it does have.) >>> You could say >>> >>> ansible.builtin.shell: "{{ command2 }}" >>> >>> But Brian already gave you a solution, which I'll repeat here: >>> You either need to run ansible-playbook as a user with permissions (rke, >>> root?) >>> or use a task to read the file while using privilege escalation (become): >>> - slurp: >>> path: , '*/home/rke/*.ssh/id_rsa.pub' >>> become: yes >>> delegate_to: localhost >>> register: rke_pub_key >>> This is the equivalent of you doing `sudo cat */home/rke/* >>> .ssh/id_rsa.pub' >>> (lookups always run 'locally and are not affected by become, which only >>> affects the 'remote' side of a task). >>> >>> >>> >>> On Friday, July 22, 2022 at 2:06:55 PM UTC-4 [email protected] wrote: >>> >>>> >>>> trying to do this another way >>>> >>>> - name: copy id_rsa.pub to tmp for reading on localhost >>>> ansible.builtin.shell: >>>> cmd: "{{ command2 }}" >>>> register: shell_output >>>> become: true >>>> delegate_to: localhost >>>> >>>> >>>> where command2 is 'cp /home/rke/.ssh/id_rsa.pub /tmp' >>>> >>>> I am trying to run this only on the ansible controller (localhost) >>>> >>>> but it looks like its trying to run on remote nodes >>>> >>>> >>>> fatal: [k8node02 -> localhost]: FAILED! => {"changed": false, "msg": >>>> "Unsupported parameters for (command) module: cmd Supported parameters >>>> include: _raw_params, _uses_shell, argv, chdir, creates, executable, >>>> removes, stdin, stdin_add_newline, strip_empty_ends, warn"} >>>> fatal: [k8master -> localhost]: FAILED! => {"changed": false, "msg": >>>> "Unsupported parameters for (command) module: cmd Supported parameters >>>> include: _raw_params, _uses_shell, argv, chdir, creates, executable, >>>> removes, stdin, stdin_add_newline, strip_empty_ends, warn"} >>>> fatal: [k8node01 -> localhost]: FAILED! => {"changed": false, "msg": >>>> "Unsupported parameters for (command) module: cmd Supported parameters >>>> include: _raw_params, _uses_shell, argv, chdir, creates, executable, >>>> removes, stdin, stdin_add_newline, strip_empty_ends, warn"} >>>> >>>> >>>> any idea? >>>> On Thursday, July 21, 2022 at 9:42:44 AM UTC-7 Tony Wong wrote: >>>> >>>>> do you mean something like this? >>>>> >>>>> >>>>> --- >>>>> # tasks file for createuser >>>>> - include_vars: >>>>> dir: vars >>>>> >>>>> >>>>> >>>>> >>>>> *- name: Get id_rsa.pub from localhost set_fact: auth_key: "{{ >>>>> lookup('file', '/home/rke/.ssh/id_rsa.pub')}}" delegate_to: localhost* >>>>> >>>>> - name: create user rke >>>>> ansible.builtin.user: >>>>> name: '{{ username }}' >>>>> shell: '{{ shell }}' >>>>> generate_ssh_key: yes >>>>> create_home: yes >>>>> groups: [ "{{ group1 }}", "{{ group2 }}" ] >>>>> append: yes >>>>> ssh_key_file: .ssh/id_rsa >>>>> become: true >>>>> >>>>> - name: Make sure we have a 'wheel' group >>>>> group: >>>>> name: wheel >>>>> state: present >>>>> >>>>> - name: Allow 'wheel' group to have passwordless sudo >>>>> lineinfile: >>>>> dest: /etc/sudoers >>>>> state: present >>>>> regexp: '^%wheel' >>>>> line: '%wheel ALL=(ALL) NOPASSWD: ALL' >>>>> validate: 'visudo -cf %s' >>>>> >>>>> >>>>> - name: Setup authkeys for user rke >>>>> become: true >>>>> >>>>> authorized_key: >>>>> user: '{{ username }}' >>>>> state: present >>>>> key: auth_key >>>>> >>>>> >>>>> >>>>> On Thu, Jul 21, 2022 at 7:48 AM Dick Visser <[email protected]> wrote: >>>>> >>>>>> On Thu, 21 Jul 2022 at 16:32, Tony Wong <[email protected]> wrote: >>>>>> > >>>>>> > yes it does, but the user (ansible) i am running the playbook with >>>>>> even though it has sudo rights and in root group cant access that folder. >>>>>> >>>>>> >>>>>> Your authorized_keys task is run on the remote host, but using the >>>>>> lookup/file plugin in one of the arguments doesn't allow for privilege >>>>>> escalation locally. >>>>>> I think for fetching the materials, you should have an initial >>>>>> set_fact task with delegate_to=localhost and set become=true on that. >>>>>> >>>>>> (not verified) >>>>>> >>>>>> >>>>>> >>>>>> > i tried to copy the id_rsa.pub to /tmp and it works >>>>>> > >>>>>> > On Thu, Jul 21, 2022 at 7:10 AM John Petro <[email protected]> >>>>>> wrote: >>>>>> >> >>>>>> >> Does /home/rke/.ssh/id_pub.rsa exist on the host you are running >>>>>> the ansible playbook from? Also, what happens if you try to do a ls on >>>>>> that directory as the user that is executing the ansible playbook, are >>>>>> you >>>>>> getting any errors? >>>>>> >> >>>>>> >> On Thu, Jul 21, 2022 at 9:09 AM Tony Wong <[email protected]> >>>>>> wrote: >>>>>> >>> >>>>>> >>> [WARNING]: Unable to find '/home/rke/.ssh/id_pub.rsa' in expected >>>>>> paths (use -vvvvv to see paths) >>>>>> >>> fatal: [k8master]: FAILED! => {"msg": "An unhandled exception >>>>>> occurred while running the lookup plugin 'file'. Error was a <class >>>>>> 'ansible.errors.AnsibleError'>, original message: could not locate file >>>>>> in >>>>>> lookup: /home/rke/.ssh/id_pub.rsa"} >>>>>> >>> [WARNING]: Unable to find '/home/rke/.ssh/id_pub.rsa' in expected >>>>>> paths (use -vvvvv to see paths) >>>>>> >>> fatal: [k8node01]: FAILED! => {"msg": "An unhandled exception >>>>>> occurred while running the lookup plugin 'file'. Error was a <class >>>>>> 'ansible.errors.AnsibleError'>, original message: could not locate file >>>>>> in >>>>>> lookup: /home/rke/.ssh/id_pub.rsa"} >>>>>> >>> [WARNING]: Unable to find '/home/rke/.ssh/id_pub.rsa' in expected >>>>>> paths (use -vvvvv to see paths) >>>>>> >>> fatal: [k8node02]: FAILED! => {"msg": "An unhandled exception >>>>>> occurred while running the lookup plugin 'file'. Error was a <class >>>>>> 'ansible.errors.AnsibleError'>, original message: could not locate file >>>>>> in >>>>>> lookup: /home/rke/.ssh/id_pub.rsa"} >>>>>> >>> >>>>>> >>> On Thu, Jul 21, 2022 at 5:32 AM Tony Wong <[email protected]> >>>>>> wrote: >>>>>> >>>> >>>>>> >>>> how do i access to lookup the id_rsa.pub file? The user running >>>>>> ansible playbook has sudo rights on the controller >>>>>> >>>> >>>>>> >>>> On Wed, Jul 20, 2022 at 4:31 PM Todd Lewis <[email protected]> >>>>>> wrote: >>>>>> >>>>> >>>>>> >>>>> It would have root access — on the target machine, but not on >>>>>> the Ansible controller. >>>>>> >>>>> >>>>>> >>>>> On Wednesday, July 20, 2022 at 6:24:24 PM UTC-4 >>>>>> [email protected] wrote: >>>>>> >>>>>> >>>>>> >>>>>> But I used become: in my main.yml >>>>>> >>>>>> >>>>>> >>>>>> Would that have root access? >>>>>> >>>>> >>>>>> >>>>> -- >>>>>> >>>>> You received this message because you are subscribed to a topic >>>>>> in the Google Groups "Ansible Project" group. >>>>>> >>>>> To unsubscribe from this topic, visit >>>>>> https://groups.google.com/d/topic/ansible-project/gkaigHAiAC0/unsubscribe >>>>>> . >>>>>> >>>>> To unsubscribe from this group and all its topics, send an >>>>>> email to [email protected]. >>>>>> >>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/d/msgid/ansible-project/420506bd-39ce-4cc5-b6c5-58a65b3a3e3bn%40googlegroups.com >>>>>> . >>>>>> >>> >>>>>> >>> -- >>>>>> >>> You received this message because you are subscribed to the >>>>>> Google Groups "Ansible Project" group. >>>>>> >>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> >>> To view this discussion on the web visit >>>>>> https://groups.google.com/d/msgid/ansible-project/CALmkhkohoHcMf3KBDbprOgPPZkyQTvALAyH%2Bov%2Bnr_OcCz1koA%40mail.gmail.com >>>>>> . >>>>>> >> >>>>>> >> -- >>>>>> >> You received this message because you are subscribed to a topic in >>>>>> the Google Groups "Ansible Project" group. >>>>>> >> To unsubscribe from this topic, visit >>>>>> https://groups.google.com/d/topic/ansible-project/gkaigHAiAC0/unsubscribe >>>>>> . >>>>>> >> To unsubscribe from this group and all its topics, send an email >>>>>> to [email protected]. >>>>>> >> To view this discussion on the web visit >>>>>> https://groups.google.com/d/msgid/ansible-project/CAPAjob8Kz3CmwXpnREAMYW_omF0J5HuEz5UtMACrSG7sMnSitw%40mail.gmail.com >>>>>> . >>>>>> > >>>>>> > -- >>>>>> > You received this message because you are subscribed to the Google >>>>>> Groups "Ansible Project" group. >>>>>> > To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> > To view this discussion on the web visit >>>>>> https://groups.google.com/d/msgid/ansible-project/CALmkhkq3tKEwQ8nSBT4Nu1kwCp%2BZAYVrYvozUQ5MFLTMkL_yNQ%40mail.gmail.com >>>>>> . >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to a topic in >>>>>> the Google Groups "Ansible Project" group. >>>>>> To unsubscribe from this topic, visit >>>>>> https://groups.google.com/d/topic/ansible-project/gkaigHAiAC0/unsubscribe >>>>>> . >>>>>> To unsubscribe from this group and all its topics, send an email to >>>>>> [email protected]. >>>>>> >>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/d/msgid/ansible-project/CAF8BbLZVQZ5qdJSLjnxHoTirc9rzPqtUuLHEd52Bg2tAYUEbeg%40mail.gmail.com >>>>>> . >>>>>> >>>>> -- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "Ansible Project" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/ansible-project/gkaigHAiAC0/unsubscribe >>> . >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/8c50e7fd-a866-4e41-b49f-cee4cf39af48n%40googlegroups.com >>> <https://groups.google.com/d/msgid/ansible-project/8c50e7fd-a866-4e41-b49f-cee4cf39af48n%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CALmkhkp_Xf5AsHiXpYuc8PC83GwRB596z4cFn7_Vj6heOiQg6w%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-project/CALmkhkp_Xf5AsHiXpYuc8PC83GwRB596z4cFn7_Vj6heOiQg6w%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAPAjob-Z6nhnTHodFJTwqfVv0xzDM9mYqbV-_N-T_3_19mxqAw%40mail.gmail.com.
