zuul/zuul-jobs
Code Issues Proposed changes

Deploy ssh key as root for non-root users

Browse Source 
The role to distribute the build ssh key to a user uses the "copy"
module in combination with become_user. When the target user is not
root, this does not work because the ansible user is not root
either and "copy" is not compatible with pipelining:
http://docs.ansible.com/ansible/latest/user_guide/become.html#becoming-an-unprivileged-user

To solve the issue run the copy as root and set the owner of the
target file. Use the "user" module to resolve "~" to the target user
home directory.

Change-Id: Ic66eb2b14bc55a412dfa73aa0722cd59887a4e83
This commit is contained in:
Andrea Frittoli 2018-04-23 12:39:39 +01:00
parent df364a46e0
commit 4ea02ec487
1 changed files with 20 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
roles/copy-build-sshkey/tasks/main.yaml
View File

@ -1,25 +1,36 @@
--- ---
# Add the authorization first, to take advantage of manage_dir
- name: Authorize build key
authorized_key:
user: "{{ copy_sshkey_target_user }}"
manage_dir: yes
key: "{{ lookup('file', zuul_temp_ssh_key ~ '.pub') }}"
become: true
become_user: "{{ copy_sshkey_target_user }}"
# Use a block to add become to a set of tasks # Use a block to add become to a set of tasks
- block: - block:
# Add the authorization first, to take advantage of manage_dir - name: Get the {{ copy_sshkey_target_user }} user home folder
- name: Authorize build key user:
authorized_key: name: "{{ copy_sshkey_target_user }}"
user: "{{ copy_sshkey_target_user }}" register: target_user_registered
manage_dir: yes
key: "{{ lookup('file', zuul_temp_ssh_key ~ '.pub') }}"
# The copy module does not work with become_user even if pipelining is
# enabled when both ansible user and become_user are not root:
# http://docs.ansible.com/ansible/latest/user_guide/become.html#becoming-an-unprivileged-user
- name: Install the build private key - name: Install the build private key
copy: copy:
src: "{{ zuul_temp_ssh_key }}" src: "{{ zuul_temp_ssh_key }}"
dest: "~/.ssh/id_rsa" dest: "{{ target_user_registered.home }}/.ssh/id_rsa"
mode: 0600 mode: 0600
owner: "{{ copy_sshkey_target_user }}"
force: no force: no
- name: Install the build public key - name: Install the build public key
copy: copy:
src: "{{ zuul_temp_ssh_key }}.pub" src: "{{ zuul_temp_ssh_key }}.pub"
dest: "~/.ssh/id_rsa.pub" dest: "{{ target_user_registered.home }}/.ssh/id_rsa.pub"
mode: 0644 mode: 0644
owner: "{{ copy_sshkey_target_user }}"
force: no force: no
become: true become: true
become_user: "{{ copy_sshkey_target_user }}"