Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Ansible synchronize prompts passphrase even if already entered at the beginning

The synchronize module of Ansible (v1.6.5) prompts for the passphrase (Enter passphrase for key) even though I already entered it at the beginning of running the playbook.

Any idea why?

I run my playbook with the following options:

-u myuser --ask-sudo-pass --private-key=/path/to/id_rsa

Here is my synchronize task:

- name: synchronize source files in src location
  sudo: yes
  synchronize: src={{local_src}} dest={{project_dirs.src}} archive=yes delete=yes rsync_opts=["--compress"]
  when: synchronize_src_files

UPDATE with ssh-agent

Following the advice of Lekensteyn, I tried with ssh-agent. I do not have a prompt anymore but the task fails. What am I missing?

eval `ssh-agent -s`
ssh-add ~/.ssh/id_rsa

The error:

TASK: [rolebooks/project | synchronize source files in src location] **********
failed: [10.0.0.101] => {"cmd": "rsync --delay-updates -FF --compress --delete-after --archive --rsh 'ssh -i /home/vagrant/.ssh/id_rsa -o StrictHostKeyChecking=no' --rsync-path=\"sudo rsync\" [--compress] --out-format='<<CHANGED>>%i %n%L' /projects/webapp [email protected]:/var/local/sites/project1/src", "failed": true, "rc": 12}
msg: sudo: no tty present and no askpass program specified
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(226) [sender=3.1.0]
like image 339
Michael Avatar asked Jul 15 '14 16:07

Michael


2 Answers

The synchronize command (up to at least Ansible 1.6.6) seems to ignore the normal SSH control socket opened by Ansible. Your task could expand to the following:

{
    "cmd": "rsync --delay-updates -FF --compress --archive
        --rsh 'ssh  -o StrictHostKeyChecking=no'
        --out-format='<<CHANGED>>%i %n%L'
        /home/me/src/ user@host:/dest/",
    "failed": true,
    "rc": 23
}

To get these details, run your playbook with the -v option. As a workaround for this, you can start ssh-agent and add cache your SSH key with ssh-add. Refer to their manual pages for details.

Extra caveats with the synchronize module:

  • When run with sudo: yes, ansible will run with --rsh 'sudo ssh' which will break if the remote sudo configuration requires a password and/ or TTY. Solution: set sudo: no in your task definition.
  • The user that logs into the remote machine is your SSH user (ansible_ssh_user), not the sudo user. I have not found a way to override this user (besides an untested method that overrides the user with -o User option via one of the other options (dest_port="22 -o User=your_user"?) in combination with set_remote_user=yes).

This is taken from my tasks file:

- name: sync app files
  sudo: no
  synchronize: src={{app_srcdir}}/ dest={{appdir}}/
               recursive=yes
               rsync_opts=--exclude=.hg
# and of course Ubuntu 12.04 does not support --usermap..
#,--chown={{deployuser}}:www-data
# the above goes bad because ansible_ssh_user=user has no privileges
#  local_action: command rsync -av --chown=:www-data
#                 {{app_srcdir}}
#                 {{deployuser}}@{{inventory_hostname}}:{{appdir}}/
#  when: app_srcdir is defined
# The above still goes bad because {{inventory_hostname}} is not ssh host...
like image 50
Lekensteyn Avatar answered Nov 12 '22 22:11

Lekensteyn


I think by default synchronize is explicitly setting a username on the rsync command - you can prevent this and allow rsync to work from your ssh config file.

http://docs.ansible.com/synchronize_module.html

set_remote_user put user@ for the remote paths. If you have a custom ssh config to define the remote user for a host that does not match the inventory user, you should set this parameter to "no".

I have a remote user configured in my ssh config and needed to add set_remote_user=no to get synchronize to work, otherwise it tried to use the wrong username and neither ssh key nor password would work.

like image 5
Sean Burlington Avatar answered Nov 12 '22 22:11

Sean Burlington