search

poanetwork / poa-devops

POA Network DevOps scripts
GNU General Public License v3.0
11 stars 19 forks source link

Please consider supporting interactive auth for playbooks deployments #8

Closed phahulin closed 6 years ago

phahulin commented 6 years ago

Originally by @micwebnet in https://github.com/poanetwork/deployment-playbooks/issues/44

If the SSH keys are password protected, ansible-playbook fails with

TASK [hf-spec-change : Shutdown poa-netstats service] ***** fatal: [52.191.165.235]: FAILED! => {"changed": false, "msg": "Unable to stop service poa-netstats: Failed to stop poa-netstats.service: Interactive authentication required.\nSee system logs and 'systemctl status poa-netstats.service' for details.\n"} to retry, use: --limit @/home/mm/poa-devops/site.retry

The workaround is to use non-password-protected ssh keys, but that's a security vulnerability if the control system is compromised. Suggest looking into allowing interactive auth during deployment.

Best, MM

phahulin commented 6 years ago

Hi, @micwebnet

The error message looks more like the script tried to execute sudo to stop the service but didn't succeed waiting for sudo password to be provided interactively. Without correct keys it should have stopped earlier trying to connect to the server.

The hf-spec-change assumes that ssh keys you use correspond to root user on the server. Probably that assumption is wrong in this case (azure?). If you are connecting as another user (e.g. ubuntu), please change this line in site.yml

...
- hosts: hf-spec-change
  vars:
    date: "{{ lookup('pipe', 'date -u +%Y%m%d-%H%M%S') }}"
    home: "/home/{{ poa_role }}"
  user: root       # <----------------- change this to ubuntu or another name
  become: true
  become_user: root
  roles:
    - hf-spec-change
  tags: hf-spec

It will connect as ubuntu and then try to switch to root. If ubuntu does not have passwordless sudo access, you should add --ask-sudo-pass flag when starting playbook:

ansible-playbook -i hosts site.yml  --ask-sudo-pass

Please try to rerun the playbook following these remarks. If it succeeds, let me know here and I'll update the instruction. If it doesn't succeed and you still get errors, please run playbook with very very verbose logging flag -vvv:

ansible-playbook -i hosts site.yml -vvv --ask-sudo-pass

and attach the output.

Thanks

phahulin commented 6 years ago

Hi, @micwebnet

did you get a chance to test it during recent hard-forks? Is this issue still relevant?

micwebnet commented 6 years ago

Haven't had this issue after deploying a new after HF. The ansible playbook script just asked me for sudo password when it needed it.

phahulin commented 6 years ago

Great, I'll close this issue then