Ansible become/effective user not working

jrichard-piq · August 21, 2018, 6:06am

Problem:
Running an Ansible command via the “Run Command - Ansible Default” template does not work as expected.

I’m also a FreeIPA user. I have the foreman-proxy public key associated with the correct user at FreeIPA and I’ve cleared all sssd cache’s etc. The FreeIPA user in question has full sudo privileges via FreeIPA sudo rules etc,

I know that Foreman RemoteExecution in general works because I can run a “Run Command - SSH Default” template type job and that does what I expect. Meaning, the settings under Administer > Settings > RemoteExecution, EffectiveUser, EffectiveUserMethod, SSH User all do what I expect.

I have enabled verbose logging for sshd on the client machine

And when I do a “Run Command - SSH Default”, I see the connection come in as user “jrichard”, see it check the public key, say “okay” then the sudo and success.

But if I try this via the “Run Command - Ansible Default”, I see the Foreman trying to connect as root seemingly no matter what I try… set ansible_user host param, or global parm, set the effective user to “root” in the template definition etc.

I guess my problem is related to or is exactly:
https://projects.theforeman.org/issues/23279

But as far as I can tell I have the latest versions of Forman, and Ansible, foreman_ansible etc.

Expected outcome:

run an Ansible command and have the SSH user + effective user settings cause Ansible to connect via ssh as the “SSH user” and then sudo.

Foreman and Proxy versions:
foreman.noarch 1.18.1-1.el7
tfm-rubygem-foreman_remote_execution.noarch 1.5.5-1.fm1_18.el7
tfm-rubygem-foreman_ansible.noarch 2.2.5-1.fm1_18.el7
rubygem-smart_proxy_ansible.noarch 2.0.3-1.fm1_18.el7
ansible.noarch 2.6.2-1.el7

Foreman and Proxy plugin versions:

Other relevant data:

Maybe I’m just doing it wrong

Can someone tell me what settings I need to apply to have Foreman run an Ansible command as user “x” and do as via sudo"?

Thanks !

bastilian · August 21, 2018, 7:00am

Have you tried to use ‘ansible_become_user’ user set to ‘jrichard’?

jrichard-piq · August 21, 2018, 6:27pm

Yes, just tried that via a host parameter, did not work.

hartmel · August 21, 2018, 6:29pm

Here is what I do to allow to run ansible jobs from Foreman server. I have a FreeIPA setup (foreman server, foreman proxies and hosts are enrolled in FreeIPA). Maybe one or more of this steps are not required anymore, but they were for 1.17. I use it for : remote exec, Puppet run SSH (a bit distinct configuration) and ansible plays. Since you say some things already works, you probably only need the environments for daemons.

Trust IPA certificate (I dont remember why I had to do this )

cp -f /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt
update-ca-trust

*On freeipa, create a user allowed to SSH and sudo on your hosts. (I can give some hints if you dont have this yet, hbac rule + sudo rule)

*On foreman server, create files

/etc/sysconfig/foreman-proxy
/etc/sysconfig/smart_proxy_dynflow_core
They contains

SHELL=/bin/bash

Create file /etc/systemd/system/smart_proxy_dynflow_core.service.d/override.conf

[Service]
EnvironmentFile=-/etc/sysconfig/smart_proxy_dynflow_core

on foreman server, set the remote exec user name :

hammer settings set --name remote_execution_ssh_user --value myremoteusername

create a symlink of the generated file (default path) /usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy to /etc/foreman-proxy/id_rsa (the smartproxy used it by default) and add the public key to your user in FreeIPA through web ui or with a command like (after kinit as admin on your realm) :

ipa user-mod myremoteusername --sshpubkey="$(cat /usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy.pub)"

I did not touch more the default settings for Ansible (which sudo by default).

I have other steps to share if you need to integrate :

Foreman web interface authentication against FreeIPA through PAM (tested and functional)
Host enrollment in FreeIPA at provisioning (not yet tested)
remote exec from a distinct smartproxy with another user name

hartmel · August 21, 2018, 6:35pm

For my curiosity, is there a difference between remote exec and ansible, like, ansible and single remote exec are initiated differently by the builtin dynflow and/or smartproxy ?

maybe related ? Bug #23482: puppetrun ssh provider does not work without sudo because foreman-proxy user does not have SHELL environment variable - Foreman

jrichard-piq · August 21, 2018, 10:24pm

Thanks for the input @hartmel, and all your stuff here:

That has at least pointed me in the right direction. I’ll try all your suggestions again, maybe on a clean install/env.

I can’t wrap my head around why though, RemoteExecution via SSH just works. And since the ansible-plugin is so dependent on that I would expect that to work as well.

Just to clarify, what I want to work is, TFM connects to target host as user “x”, jrichard in this case, and sudo’s some commands. Or in Ansible speak, connect as user jrichard and “become”, via sudo, root and run an ansible adhoc command.

I have not tried an actual playbook or role. Maybe I should.

jrichard-piq · August 22, 2018, 5:05am

did a fresh install of 1.19 RC3 in my POC env and all required plugins for Ansible fun and it worked with these global params defined, no other hacking configs etc, woho !!!

Even more awesome that 1.19 will hopefully be GA in about a week here.

ansible_become yes
ansible_become_method sudo
ansible_become_user root
ansible_user jrichard

Was not able to duplicate in my 1.18 production env but maybe I broke something with all the hacking around trying to get it working. Plus, that was an upgrade from 1.17 so who knows.

Will try a clean install of 1.18 in POC and see if that works. If that fails I guess that means this is just broken in 1.18

hartmel · August 22, 2018, 6:50am

So you don’t use remote_execution_ssh_user settings ?
Did you need to use EnvironmentFile ?
How did you setup your ssh key ?

jrichard-piq · August 22, 2018, 2:33pm

the remote user setting is there, I happen to set it via the UI under the Admin > Settings > RemoteExec tab but my guess is doing it via hammercli accomplishes the exact same thing. Yes though, I confirmed, this setting must be there and set appropriately.
“SSH User root Default user to use for SSH. You may override per host by setting a parameter called remote_execution_ssh_user.”
did not need any env file
grab the pub key from /usr/share/foreman-proxy/.ssh and apply to FreeIPA user

And that’s it.

The only thing that required a bit, a very small bit of “figuring out” is that you need to install:
ansible rubygem-smart_proxy_ansible.noarch and tfm-rubygem-foreman_ansible

This is not clear in the doc: https://www.theforeman.org/plugins/foreman_ansible/2.x/index.html

And regarding the doc, it might just be me, I’m reading it wrong, but it seems to be mostly about how to make an Ansible run send stuff back to TFM. And that’s good of course. But the real “OMG that’s awesome !!!” is the ability to run/schedule Ansible jobs via the UI and the tight integration with your already existing inventory generated by Puppet - the ability to further streamline what seems to be a pattern that I have heard from many others/orgs; Puppet get’s used for overall config management and Ansible is used for more focused config/build related tasks and/or to compliment the big picture job that Puppet is doing.

So maybe a re-write with a focus on first, “this is how you get Ansible runs working” and second, he’s how you get Ansible to send facts and such back to TFM.

jrichard-piq · August 22, 2018, 3:42pm

Actually, everything I just described works in a clean/fresh TFM 1.18 install environment as well.

So, my prod env that was 1.17, upgraded to 1.18 must just have some config broken.

Clearly I should be able to replicate this anywhere.

So I’d say probably “case closed” but maybe… IMHO, alter/update the focus of the Ansible plugin doc.