Foreman freeipa and ansible/remote execution


Connecting TFM to FreeIPA using ipa-client-install will configure /etc/ssh/ssh_config with the following lines:
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
ProxyCommand SHELL=/bin/bash /usr/bin/sss_ssh_knownhostsproxy -p %p %h

When running a remote execution using TFM the command will be run as foreman-proxy user and this user doesn’t have a SHELL (/bin/false). It seems the sss_ssh_knownhostsproxy needs a shell to run. The nice thing is that this ssh proxy commands handles properly the known_hosts file, without this we need to handle this file by hand or using alternative methods.
Has anybody a similar setup?
Known workaround?

Expected outcome:

Foreman and Proxy versions:

ipa VERSION: 4.5.0, API_VERSION: 2.228

Foreman and Proxy plugin versions:

Thanks for any hint/idea
rgds, arsene

Bug opened not so long ago, workaround included : Bug #23482: puppetrun ssh provider does not work without sudo because foreman-proxy user does not have SHELL environment variable - Foreman

1 Like

This workaround didn’t work for me, it seems /etc/sysconfig/foreman-proxy isn’t sourced even when restarting foreman-proxy service

Could you verify there’s EnvironmentFile=-/etc/sysconfig/foreman-proxy in the unit file? systemctl cat foreman-proxy should show you.

The unit file looks exactly as you wrote in your reply.

Ansible playbook runs when disabling the SSH ProxyCommand in /etc/ssh/ssh_config but not when it is enabled.

Is there a way to verify if the SHELL variable effectively exists in the foreman-proxy user context?

So maybe it s another problem.

What I can say is the following. The single steps to have remote SSH working :

My foreman/katello VM is a CentOS 7.4 enrolled in freeipa, and then I installed foreman/katello packages.

I have a dedicated user in FreeIPA. After foreman-installer run, I link generated SSH keys in foreman-proxy directory :

ln -s /usr/share/foreman-proxy/.ssh/ /etc/foreman-proxy/
ln -s /usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy /etc/foreman-proxy/id_rsa

Just because /etc/foreman-proxy/id_rsa is the default path to look for ssh RSA key.

In FreeIPA, I register the public SSH key generated.

In foreman web UI, in settings, I defined the remote user login to use.

Then, on a host, I can run commands with “schedule remote jobs” and default SSH remote command template.

BUT, Ansible run of roles is not yet working. I m trying to debug why.

(forgot to mention again that in foreman-proxy environment file as described in previous messages, I defined SHELL env variable)

Now that I m trying to run ansible roles, I had the same problem you describe.

Ansible uses a wrapper named ‘sshpass’ to ssh to hosts. Unset the ansible_password (in Settings > Ansible web page) and ansible will not use it anymore. I think it conflicts with the sss_ssh_knownhostsproxy

Next, ssh didn’t found the SSH key ( /usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy , as defined by default installer) so I rename it and it public part to id_rsa (and fixed my puppetrun_ssh which is using it too, but it s another subject)

Then, I was able to run ansible roles.

What I don’t understand is why I had to rename key files. I was sure that ssh was by default looking and using every key pairs it could find.

So, if I sum up and dont forget anything, on a FreeIPA enrolled foreman server :

  • EnvironmentFile with SHELL defined is enough for Remote Execution and for puppetrun by SSH

For Ansible I needed more things :

  • /usr/share/foreman-proxy/.ansible directory with right chown/chmod
  • Global setting ansible_password undefined (default is ‘ansible’)
  • RSA keys in /usr/share/foreman/.ssh/ renamed to be compliant with default searches of ssh client

I add difficulties to debug because the ansible_verbosity is not available (though this issue is closed Bug #20493: missing ansible_verbosity setting - Ansible - Foreman ) and adding ansible_verbosity as host parameter didn’t work, so I had to add -vvv in ruby source code.

Adding -vvv in ssh args in /etc/ansible/ansible.cfg helped too.

Of course I forgot something :upside_down_face:

This time it s the smart_proxy_dynflow_core daemon (run as foreman-proxy too) which need a SHELL env variable

so, override the systemd unit, create a file with /etc/systemd/system/smart_proxy_dynflow_core.service.d/override.conf (or run “systemctl edit smart_proxy_dynflow_core”) with this content :

[Service] EnvironmentFile=-/etc/sysconfig/smart_proxy_dynflow_core

And copy the env file used for foreman-proxy daemon :

cp /etc/sysconfig/foreman-proxy /etc/sysconfig/smart_proxy_dynflow_core

In Foreman 1.18 / Katello 3.7, it works better out of the box. In a test setup, I manage to run ansible role on the foreman host itself (registered in a FreeIPA instance before running installer).
The only tuning I had to do is :

  • ln -s /usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy /etc/foreman-proxy/id_rsa

  • add the generated key to the account for remote exec in FreeIPA

  • smartproxy / dynflow_core environment

    cat > /etc/sysconfig/foreman-proxy << EOF

    cat > /etc/systemd/system/smart_proxy_dynflow_core.service.d/override.conf << EOF

    cat > /etc/sysconfig/smart_proxy_dynflow_core << EOF

    hammer settings set --name remote_execution_ssh_user --value foremanremoteexecuser

The ansible role associated to the foreman host are run. But I still have one problem : I don’t manage to enable sudo when playing ansible role. I tried to update /usr/share/foreman-proxy/.ansible.cfg file but it doesn’t work.

Should I open a bug on redmine for this ?

I add that overriding the user to “root” when using plain SSH remote executions jobs works. It doesnt work with ansible based jobs

I think this was fixed in foreman_ansible 2.2.2 that has been released yesterday, see Bug #23279: when running ansible job become is not working - Ansible - Foreman for more details. Once it hits 1.18 repositories, please let us know if that resolved your issue.

I confirm this works flawlessly with foreman_ansible 2.2.3.
Thanks for your help.