e30333940f
The known_hosts module returns a failure on centos/rocky 10 when given a comment line from ssh-keyscan output. Fix by excluding them with grep. Change-Id: I29e7e8a7480009fd359b8aa8b867b11900109f00 Signed-off-by: Pierre Riteau <pierre@stackhpc.com>
81 lines
2.7 KiB
YAML
81 lines
2.7 KiB
YAML
---
|
|
- block:
|
|
- name: Testing privilege escalation
|
|
raw: "true"
|
|
become: true
|
|
failed_when: false
|
|
changed_when: false
|
|
register: privilege_escalation_result
|
|
|
|
- name: Assert that we can escalate privileges
|
|
assert:
|
|
that:
|
|
- privilege_escalation_result is success
|
|
- '"password is required" not in privilege_escalation_result.stderr'
|
|
fail_msg: >-
|
|
Could not escalate privileges. You can either: set kayobe_control_host_become: true,
|
|
set ansible_become_password, or set up passwordless sudo.
|
|
when: kayobe_control_host_become | bool
|
|
|
|
- name: Include OS family-specific variables
|
|
include_vars: "{{ ansible_facts.os_family }}.yml"
|
|
|
|
- name: Gather the package facts
|
|
ansible.builtin.package_facts:
|
|
manager: auto
|
|
|
|
- block:
|
|
- name: Assert that all packages are installed if not using privilege escalation
|
|
assert:
|
|
that: missing_packages is falsy
|
|
fail_msg: >-
|
|
The following packages are missing from your system: {{ missing_packages | join(', ') }} and
|
|
privilege escalation is disabled. Please get your system administator to install these packages
|
|
or enable kayobe_control_host_become.
|
|
when: not kayobe_control_host_become | bool
|
|
|
|
- name: Ensure required packages are installed
|
|
package:
|
|
name: "{{ bootstrap_package_dependencies }}"
|
|
state: present
|
|
cache_valid_time: "{{ apt_cache_valid_time if ansible_facts.os_family == 'Debian' else omit }}"
|
|
update_cache: "{{ True if ansible_facts.os_family == 'Debian' else omit }}"
|
|
become: True
|
|
when: missing_packages is truthy
|
|
vars:
|
|
missing_packages: "{{ bootstrap_package_dependencies | difference(ansible_facts.packages.keys()) }}"
|
|
|
|
- name: Check whether an SSH key exists
|
|
stat:
|
|
path: "{{ bootstrap_ssh_private_key_path }}"
|
|
get_checksum: False
|
|
mime: False
|
|
register: ssh_key_stat
|
|
|
|
- name: Generate an SSH key
|
|
command: ssh-keygen -t {{ bootstrap_ssh_key_type }} -N '' -f {{ bootstrap_ssh_private_key_path }}
|
|
when: not ssh_key_stat.stat.exists
|
|
|
|
- name: Ensure SSH public key is in authorized keys
|
|
authorized_key:
|
|
user: "{{ ansible_facts.user_id }}"
|
|
key: "{{ lookup('file', bootstrap_ssh_private_key_path ~ '.pub') }}"
|
|
|
|
# NOTE(priteau): Exclude comments from ssh-keyscan output because they break
|
|
# known_hosts on centos/rocky 10.
|
|
- name: Scan for SSH keys
|
|
shell: ssh-keyscan {{ item }} | grep -v '^#'
|
|
with_items:
|
|
- localhost
|
|
- 127.0.0.1
|
|
register: keyscan_result
|
|
changed_when: False
|
|
|
|
- name: Ensure SSH keys are in known hosts
|
|
known_hosts:
|
|
host: "{{ item[0].item }}"
|
|
key: "{{ item[1] }}"
|
|
with_subelements:
|
|
- "{{ keyscan_result.results }}"
|
|
- stdout_lines
|