Ansible Online Notes

Online notes on technical issues I encountered using Ansible and the resolution. Posting online in case I need to refer to it again

1.)    The remote machine needs to have python simplejson or json module

Resolution: Run command to remote install module
ansible hostname -i inventory/hosts -m raw -a "sudo yum install -y python-simplejson"  -k  -u root -vvvv

2.) authorized_keys does not work on target ssh server
Symptom: When ssh from Ansible server to target server, it ask for a password even when .ssh/authorized_keys are set

http://unix.stackexchange.com/questi...authentication 

Make sure the permissions on the ~/.ssh directory and its contents are proper. When I first set up my ssh key auth, I didn't have the ~/.ssh folder properly set up, and it yelled at me. Your home directory ~, your ~/.ssh directory and the ~/.ssh/authorized_keys file on the remote machine must be writable only by you: rwx------ and rwxr-xr-x are fine, but rwxrwx--- is no good¹, even if you are the only user in your group (if you prefer numeric modes: 700 or 755, not 775). If ~/.ssh or authorized_keys is a symbolic link, the canonical path (with symbolic links expanded) is checked. Your ~/.ssh/authorized_keys file (on the remote machine) must be readable (at least 400), but you'll need it to be also writable (600) if you will add any more keys to it. Your private key file (on the local machine) must be readable and writable only by you: rw-------, i.e. 600. Also, if SELinux is set to enforcing, you may need to run restorecon -R -v ~/.ssh (see e.g. Ubuntu bug 965663 and Debian bug report #658675; this is patched in CentOS 6).

 If that does not work, on the target server

sudo su -
service sshd stop   (Note: this will not kill your current session)
/use/sbin/sshd -d   (Note: debug mode)

service sshd start  (Note: do this when finished debugging or else no one can ssh into the VM. Try ssh from a new terminal before exiting the main root terminal)

In debug mode, you will see what sshd is doing when it is trying to read the authorized_keys file

In my case, sshd was reading the wrong file. To fix I had to

Edit /etc/ssh/sshd_config, and uncomment

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile      .ssh/authorized_keys

Then restart sshd

service sshd stop
service sshd start

3.)    Issue: The remote user needs to be able to “sudo su –“ without password. Needed to  configure iptables firewall and other super-admin commands

Resolution: Have user add entry in /etc/sudoers file

Backlog Enhancement: Have precondition check for root access. Or find a way to make root access unnecessary

4.)    Ansible 2.2.0 had a bug
https://github.com/ansible/ansible/issues/16128

Resolution: Updated Ansible from Git with the latest version

git pull --rebase

git submodule update --init –recursive

5.) Ansible has issues transfering files to target server.

Ansible uses sftp to transfer files behind the scenes. Try

sftp user@target-server

to see if you can sftp without a password.

If you cannot, sftp sometimes has issues with echo in .bashrc . Comment out the echo in .bashrc and try again.

If that does not work, force Ansible to use scp instead of sftp.

In /etc/ansible/ansible.cfg, add the line

scp_if_ssh = True

or if you cannot edit the ansible.cfg file, then from shell type

export ANSIBLE_SCP_IF_SSH=y