-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Store the first SSH private key in generated Ansible inventory #5765
Conversation
a6aa9c4
to
70e26da
Compare
(force rebased after f7894d9, docs still missing ;-) |
The changes included in this PR work great. Using the Ansible provisioner with a multi-machine setup now causes the default insecure key to be removed. Here's the multi-machine Vagrantfile:
I've tested the following scenarios: Running vagrant v1.7.2 unpatched, key insertion enabled
Running vagrant v1.7.2 unpatched, key insertion disabled
Running patched vagrant, key insertion enabled
Running patched vagrant, key insertion disabled
One thing I haven't done is test with static inventory files. If someone's able to chime in there, that'd be a big help! |
Anything I can do to help here? I don't see this feature listed for inclusion in the pending changelog for 1.7.3, and would very much like to stop using the insecure default key with my ansible projects. |
@conorsch thanks a lot for your help on testing. @mitchellh @sethvargo I'd ❤️ to get your feedback on this change request. It is related to the Ansible Parallel Execution Trick explained in the "Tips and Tricks" section of the Ansible provisioner docs and discussed at considerable length on #1784 thread. It seams that many people use it and were impacted by the introduction of the "insecure key replacement" by default in Vagrant 1.7. With this change, it is no longer needed to set I also added a "wip" version of the related documentation updates, so you can better figure out the impact of these changes. I think that these code additions are still "not too complex/tricky" and are worth to be added for Vagrant 1.7.3, but I don't want to merge it without core team approval. |
be0efde
to
e0b946e
Compare
LGTM so far @gildegoma, let me know when its ready! |
@mitchellh excellent! Tomorrow, I'll do some more tests to verify again the backwards compatibility with static inventories and finalize the doc changes. /cc @conorsch @lpabon @maspwr (if you have time to look at it) |
@mitchellh calloo callay! @gildegoma I don't use static inventories much with Vagrant, but will generate a test case tonight and run it through the paces, just to make sure we've got our bases covered. The documentation updates look great. |
Using a static inventory file for Ansible and enabling dynamic key insertion as proposed in this PR causes the Ansible provisioner to fail, unless the new keys are added to the static inventory file. Running the Ansible provision with Overall this behavior is consistent with what the documentation states, but additional clarification would be helpful. In particular, this section of
should explicitly list the relevant settings, like so:
If you allow Vagrant to swap out the key for hosts managed by a static inventory file, you just need to tack on the Consider implementing the small edit to the docs, for newcomers. Otherwise, we're good to go! 👍 |
Thanks again @conorsch for your contributions! As an illustration for the records, let's take following static inventory:
Everything runs perfectly with following sequential Vagrant.configure(2) do |config|
config.vm.box = "ubuntu/trusty64"
N = 3
(1..N).each do |machine_id|
config.vm.define "machine#{machine_id}" do |machine|
machine.vm.hostname = "machine#{machine_id}"
machine.vm.network "private_network", ip: "192.168.77.#{20+machine_id}"
machine.vm.provision :ansible do |ansible|
ansible.playbook = "example.yml"
ansible.inventory_path = "static_inventory"
end
end
end
end And for the Ansible Parallelization Trick, the following approach works fine without modifying the static inventory: N = 3
VAGRANT_VM_PROVIDER = "virtualbox"
ANSIBLE_RAW_SSH_ARGS = []
(1..N-1).each do |machine_id|
ANSIBLE_RAW_SSH_ARGS << "-o IdentityFile=#{ENV["VAGRANT_DOTFILE_PATH"]}/machines/machine#{machine_id}/#{VAGRANT_VM_PROVIDER}/private_key"
end
(1..N).each do |machine_id|
config.vm.define "machine#{machine_id}" do |machine|
machine.vm.hostname = "machine#{machine_id}"
machine.vm.network "private_network", ip: "192.168.77.#{20+machine_id}"
if machine_id == N
machine.vm.provision :ansible do |ansible|
ansible.playbook = "example.yml"
ansible.limit = 'all'
ansible.inventory_path = "static_inventory"
ansible.raw_ssh_args = ANSIBLE_RAW_SSH_ARGS
end
end
end
end
end |
@mitchellh I'll rebase it and merge right now to be sure to get it into 1.7.3 and will push the final documentation additions asap (@conorsch you're more than welcome to verify my english |
Vagrant 1.7.1 creates and injects new ssh keys for each virtual machine. When it started ansible with the "parallel provisioning trick", it would only send the ssh key of the targeted virtual machine. With this change, vagrant now stores the ssh key for each virtual machines directly in the generated ansible inventory, and thus allow ansible parallelism. Note that this change is not sufficient, as it would break vagrant configuration based on a custom inventory (file or script). This issue will be addressed in a next commit. Signed-off-by: Luis Pabón <lpabon@redhat.com>
Signed-off-by: Luis Pabón <lpabon@redhat.com>
…en necessary) When provisioning multiple machines in sequence (the default vagrant behaviour), it doesn't make sense to require to provide the private ssh key(s) via the custom ansible inventory script/file. To align with the handling of multiple ssh keys per machine, we won't rely any longer on `--private-key` command line argument, but only pass the keys via `ANSIBLE_SSH_ARGS` environment variable. Note that when vagrant generates the ansible inventory and that only one key is associated to a VM, this step would be redundant, and therefore won't be applied. This change fixes the breaking change introduced by 3d62a91.
[ci skip]
4969a75
to
e932bc4
Compare
Gotcha, my 4969a75 workaround is crappy, as 3 other unit tests (outside of Ansible provisioner scope) are failing now: https://travis-ci.org/mitchellh/vagrant/builds/70339230#L206-L217 At least it demonstrate that nothing is missing in the Ansible provisioner parts, so I merge (no time to tackle the RSpec regression now). |
…ntory Store the first SSH private key in generated Ansible inventory
Pending before merge: