From 97428cb0a1d66a8d7c266d7807b150b09bac2750 Mon Sep 17 00:00:00 2001 From: Jimmy McCrory Date: Tue, 13 Mar 2018 16:25:33 -0700 Subject: [PATCH] Avoid conflicting delegation with authorized_keys When delegating with the authorized_key module, writes of multiple keys against the same host's file can occur at the same time, leading to missing keys.[0] To avoid conflicting delegation between hosts, the registered 'keystone_pubkey' fact now contains a list of SSH keys of all hosts the current batch of the play, rather than only the key of the current host. The first host within each batch will handle distribution of that batch's keys to all hosts within the play. [0] https://github.com/ansible/ansible/issues/29693 Change-Id: I386e84eba46aa164db22618b7a6ac53b86eeeaf0 --- tasks/keystone_key_distribute.yml | 2 +- tasks/keystone_key_populate.yml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/tasks/keystone_key_distribute.yml b/tasks/keystone_key_distribute.yml index 202a49fe..cdb882d1 100644 --- a/tasks/keystone_key_distribute.yml +++ b/tasks/keystone_key_distribute.yml @@ -17,6 +17,6 @@ authorized_key: user: "{{ keystone_system_user_name }}" key: "{{ keystone_pubkey | b64decode }}" - when: keystone_pubkey is defined + when: inventory_hostname == ansible_play_batch[0] delegate_to: "{{ item }}" with_items: "{{ ansible_play_hosts }}" diff --git a/tasks/keystone_key_populate.yml b/tasks/keystone_key_populate.yml index 7332c220..cb59986e 100644 --- a/tasks/keystone_key_populate.yml +++ b/tasks/keystone_key_populate.yml @@ -21,4 +21,5 @@ - name: Register a fact for the keystone pub key set_fact: - keystone_pubkey: "{{ keystone_pub.content }}" + keystone_pubkey: "{{ ansible_play_batch | map('extract', hostvars, 'keystone_pub') | map(attribute='content') | map('b64decode') | join('\n') | b64encode }}" + when: inventory_hostname == ansible_play_batch[0]