Connecting TFM to FreeIPA using ipa-client-install will configure /etc/ssh/ssh_config with the following lines:
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
ProxyCommand SHELL=/bin/bash /usr/bin/sss_ssh_knownhostsproxy -p %p %h
When running a remote execution using TFM the command will be run as foreman-proxy user and this user doesn’t have a SHELL (/bin/false). It seems the sss_ssh_knownhostsproxy needs a shell to run. The nice thing is that this ssh proxy commands handles properly the known_hosts file, without this we need to handle this file by hand or using alternative methods.
Has anybody a similar setup?
Known workaround?
Expected outcome:
Foreman and Proxy versions:
foreman-1.17.0-1.el7.noarch
foreman-proxy-1.17.0-1.el7.noarch
ipa VERSION: 4.5.0, API_VERSION: 2.228
Foreman and Proxy plugin versions:
tfm-rubygem-foreman_remote_execution-1.4.5-2.fm1_17.el7.noarch
tfm-rubygem-foreman_remote_execution_core-1.1.0-1.fm1_17.el7.noarch
Now that I m trying to run ansible roles, I had the same problem you describe.
Ansible uses a wrapper named ‘sshpass’ to ssh to hosts. Unset the ansible_password (in Settings > Ansible web page) and ansible will not use it anymore. I think it conflicts with the sss_ssh_knownhostsproxy
Next, ssh didn’t found the SSH key ( /usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy , as defined by default installer) so I rename it and it public part to id_rsa (and fixed my puppetrun_ssh which is using it too, but it s another subject)
Then, I was able to run ansible roles.
What I don’t understand is why I had to rename key files. I was sure that ssh was by default looking and using every key pairs it could find.
So, if I sum up and dont forget anything, on a FreeIPA enrolled foreman server :
EnvironmentFile with SHELL defined is enough for Remote Execution and for puppetrun by SSH
For Ansible I needed more things :
/usr/share/foreman-proxy/.ansible directory with right chown/chmod
Global setting ansible_password undefined (default is ‘ansible’)
RSA keys in /usr/share/foreman/.ssh/ renamed to be compliant with default searches of ssh client
I add difficulties to debug because the ansible_verbosity is not available (though this issue is closed Bug #20493: missing ansible_verbosity setting - Ansible - Foreman ) and adding ansible_verbosity as host parameter didn’t work, so I had to add -vvv in ruby source code.
Adding -vvv in ssh args in /etc/ansible/ansible.cfg helped too.
This time it s the smart_proxy_dynflow_core daemon (run as foreman-proxy too) which need a SHELL env variable
so, override the systemd unit, create a file with /etc/systemd/system/smart_proxy_dynflow_core.service.d/override.conf (or run “systemctl edit smart_proxy_dynflow_core”) with this content :
In Foreman 1.18 / Katello 3.7, it works better out of the box. In a test setup, I manage to run ansible role on the foreman host itself (registered in a FreeIPA instance before running installer).
The only tuning I had to do is :
hammer settings set --name remote_execution_ssh_user --value foremanremoteexecuser
The ansible role associated to the foreman host are run. But I still have one problem : I don’t manage to enable sudo when playing ansible role. I tried to update /usr/share/foreman-proxy/.ansible.cfg file but it doesn’t work.