Ansible: Forward ssh agent and sudo

yajahira

There is a command server with ansible name server-ansible and a test-web-server-01 server

Apache user needs to be stashed in the playbook/roley and a remote repository from the test-git-01 server is slope. SELinux on both vehicles (kstats, Centos7) is switched on.

Global file known_hosts (sighs)/etc/ssh/ssh_known_hosts) by assistance http://docs.ansible.com/ansible/known_hosts_module.html The key of the guitar has been established in advance:

- name: git storage pubkey
  known_hosts:
    path='/etc/ssh/ssh_known_hosts'
    name='test-git-01'
    key="{{ lookup('file', 'files/ssh_keys/pubkeys/test-git-01.pub') }}"

(Whis key is hand-written ssh-keyscan test-git-01>test-git-01.pub)

However, in an attempt to carry out teams git clone (sighs)git pull (e.g.) There's a mistake.

- name: clone repository
  git:
   repo: git@test-git-01:testgroup/testrepo.git
   dest: "/www/testsite.ru/htdocs/"
  become: true
  become_user: apache

That makes sense: the apache user doesn't have a ssh key and it's impossible to connect to the server.

The solution does not consider the possibility of creating apache with its own key through sudo -u apache ssh-keygen -t rsa And writing him on a guit serve.

I'd like to make the following: if ansible user is switched on, the ssh- shall be tested by the apache user. Since this key can be worked with a git-server, it's safer if the opportunity to work with the apache user is not constant, but only for the time of the violators ansible.

How do we correctly build Forward ssh-keys in ansible?

P.S. Update. The following is my own version, which I once came to, and then looked in English so. This option could be published immediately in the question-response mode, but I am interested in reading about other possible solutions to the task (m.b. ACL?) perhaps a better practice would be proposed. That's why I'm not going to put a box.

Alberto

There are two questions in English stackoverflow that give practically the answer.

♪ https://serverfault.com/questions/107187/ssh-agent-forwarding-and-sudo-to-another-user The forwarding design for the command line is described (follow attention: the home user ' s construction is different from that of other users)

https://stackoverflow.com/questions/32091956/ansible-and-forwardagent-for-sudo-user is described as setting ansible and a few useful references are given: https://github.com/ansible/ansible/issues/7235#issuecomment-45842303 and the reference.

The final decision is as follows:

Add ansible.cfg rows:

[defaults]
sudo_flags=-HE

Give apache access to the abandoned key:

- name: grant access to apache
      file: group=apache mode=g+rwx path={{item}}
      with_items:
      - "{{ ansible_env.SSH_AUTH_SOCK|dirname }}"
      - "{{ ansible_env.SSH_AUTH_SOCK }}"

In principle, that's all. Minor subtleness has to do with why I can lower become: false - because I've got the original SSH access blocked on all my cars, so I can't connect them.