[ansible-project] remove previously used remote_user (possibly ControlMaster, ControlPersist problem)
Hi all,
to setup raspberry pis I would like to use the following palybooks (the
actual
yaml is at the end).
1. with remote_user=defaultuser, become and add newuser
2. with remote_user=newuser, become and delete defaultuser
If I play this with some docker container as target it works but if the
target
is a raspberry pi 3 (running archlinux or raspbian) I get:
TASK [remove default user]
*
fatal: [192.168.1.129]: FAILED! => {"changed": false, "msg": "userdel:
user defaultuser is currently used by process 615\n", "name":
"defaultuser", "rc": 8}
This seems to happen because when the second playbook runs there is still a
defaultuser ssh process running from the first playbook.
Looking into it I found out about `-o ControlMaster=auto -o
ControlPersist=60s`. And if I `export ANSIBLE_SSH_ARGS='-o
ControlMaster=no'`
before `ansible-playbook` it works also on the raspberry pi.
So my questions are the following.
Why does this affect the rasperry pi but not some docker containers? With
the
default `ControlPersist=60s` it seems that it should also fail on the docker
container.
And is it possible to set `ControlMaster=no` for a specific playbook?
Thanks
Davide
Playbooks:
---
# login as default user and add new user
- hosts: testhost
vars_files:
- secret
vars:
ansible_password: "{{ defaultuserpassword }}"
ansible_become_pass: "{{ rootpassword }}"
remote_user: "{{ defaultusername }}"
become: yes
become_method: su
tasks:
- name: "add user {{ remoteusername }}"
user:
name: "{{ remoteusername }}"
password: "{{ remoteuserpassword|password_hash('sha512') }}"
shell: /bin/bash
state: present
# login as newuser and remove default user
- hosts: testhost
vars_files:
- secret
vars:
ansible_password: "{{ remoteuserpassword }}"
ansible_become_pass: "{{ rootpassword}}"
remote_user: "{{ remoteusername }}"
become: yes
become_method: su
tasks:
- name: remove default user
user:
name: "{{ defaultusername }}"
state: absent
remove: yes
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/09c3aba4-9b7e-4db7-8a0f-5bcab1c26883%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[ansible-project] Re: Deleting a user; still being used
So I am not the only one that has this problem on the raspberry pi ;) [1]. I am still confused on why I have this problem only on the raspberry pi but killing the process works great. Thanks! I still would prefer to set ControlMaster=no just for the one playbook that uses the default user. But unfortunately there is no ssh_args playbook attribute. Regards Davide [1]: https://groups.google.com/forum/#!topic/ansible-project/pMMINWCyALE On Monday, 1 February 2016 14:19:13 UTC+1, Bruno Vernay wrote: > > I add this problem, I did this: > > - name: Remove old "pi" account > hosts: qemu > become: yes > become_method: sudo > gather_facts: false > tasks: > - name : Kill all "pi" user's processes and remove the account > shell : "killall -KILL -u pi ; userdel -fr pi" > > # Didn't work, "...cannot open /etc/subuid" > #- name: Remove pi account > # user: name=pi state=absent force=yes remove=yes > > not very clean, but works > > Bruno > > > On Friday, November 27, 2015 at 5:06:30 PM UTC+1, Andrew Langhorn wrote: >> >> Hello, >> >> I am instantiating an EC2 instance from a community AMI in the >> Marketplace. The AMI comes pre-baked with a default user (ec2-user). >> >> I have a role in my Ansible repository which is applied to all machines, >> called common. Inside this role, I have a few tasks which create a new user >> (`ansible`), configure an SSH key for it, and sort out an entry in >> /etc/sudoers. These tasks are tagged as 'firstrun'. >> >> The first time I run Ansible, I connect with the ec2-user account >> remotely using: >> >> ansible-playbook -i hosts site.yml --tags firstrun >> >> This means that I only run those tasks tagged as firstrun, which makes >> the initial run quick. After this has completed successfully, I run: >> >> ansible-playbook -u ansible -i hosts site.yml --skip-tags firstrun >> >> This time, I'm skipping the tasks I've already run, and am also running >> Ansible as the `ansible` user on the instance. This adds a load of other >> plays to the machine, which works fine. >> >> I have a slight problem, however. When I invoke `ansible-playbook` for >> the second time, I expect it to run a task using the user module to delete >> the ec2-user account: >> >> >> name: remove ec2-user >> >> become: yes >> >> become_user: root >> >> user: name=ec2-user state=absent remove=yes force=yes >> >> >> Instead of this working correctly, I get this message: >> >> msg: userdel: user ec2-user is currently used by process 1918 >> userdel: cannot open /etc/subuid >> >> I don't see why (maybe I'm snowblind from having looked at this a bit too >> long!) the ec2-user still being used, given that by the time Ansible gets >> to this task, the connection for the first run should have timed out, or >> the socket should have closed. >> >> Does anyone have any ideas? It may just be that I can't see the wood from >> the trees! >> >> Thanks, >> >> Andrew >> >> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/3cd318b2-93db-46d3-8871-797a63ef704a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] Re: remove previously used remote_user (possibly ControlMaster, ControlPersist problem)
I found a related post [1] where it is suggested to just kill all processes before deleting the user [2]. [1]: https://groups.google.com/d/msg/ansible-project/woy_asjA5No/c2I86Gq7AwAJ [2]: https://groups.google.com/d/msg/ansible-project/woy_asjA5No/oLxrV6UZCAAJ -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d1c514a3-4176-4eb6-b4a4-f261afbc006c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
