Ansible: Forward ssh agent and sudo

  • There is a command server with ansible name server-ansible and a test-web-server-01 server

    Apache user needs to be stashed in the playbook/roley and a remote repository from the test-git-01 server is slope. SELinux on both vehicles (kstats, Centos7) is switched on.

    Global file known_hosts (sighs)/etc/ssh/ssh_known_hosts) by assistance The key of the guitar has been established in advance:

    - name: git storage pubkey
        key="{{ lookup('file', 'files/ssh_keys/pubkeys/') }}"

    (Whis key is hand-written ssh-keyscan test-git-01>

    However, in an attempt to carry out teams git clone (sighs)git pull (e.g.) There's a mistake.

    - name: clone repository
       repo: git@test-git-01:testgroup/testrepo.git
       dest: "/www/"
      become: true
      become_user: apache

    That makes sense: the apache user doesn't have a ssh key and it's impossible to connect to the server.

    The solution does not consider the possibility of creating apache with its own key through sudo -u apache ssh-keygen -t rsa And writing him on a guit serve.

    I'd like to make the following: if ansible user is switched on, the ssh- shall be tested by the apache user. Since this key can be worked with a git-server, it's safer if the opportunity to work with the apache user is not constant, but only for the time of the violators ansible.

    How do we correctly build Forward ssh-keys in ansible?

    P.S. Update. The following is my own version, which I once came to, and then looked in English so. This option could be published immediately in the question-response mode, but I am interested in reading about other possible solutions to the task (m.b. ACL?) perhaps a better practice would be proposed. That's why I'm not going to put a box.

  • There are two questions in English stackoverflow that give practically the answer.

    ♪ The forwarding design for the command line is described (follow attention: the home user ' s construction is different from that of other users) is described as setting ansible and a few useful references are given: and the reference.

    The final decision is as follows:

    Add ansible.cfg rows:


    Give apache access to the abandoned key:

    - name: grant access to apache
          file: group=apache mode=g+rwx path={{item}}
          - "{{ ansible_env.SSH_AUTH_SOCK|dirname }}"
          - "{{ ansible_env.SSH_AUTH_SOCK }}"

    In principle, that's all. Minor subtleness has to do with why I can lower become: false - because I've got the original SSH access blocked on all my cars, so I can't connect them.

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2