Browse Source

move vm ssh-server to a separate role and use lxc_ssh connection plugin to execute it on the lxc_guest

master
Andrea Cimbalo 8 years ago
parent
commit
1d0e62b2f3
15 changed files with 784 additions and 137 deletions
  1. +5
    -2
      blogs.yaml
  2. +2
    -1
      firewall.yaml
  3. +5
    -2
      ldap.yaml
  4. +594
    -0
      library/lxc_ssh.py
  5. +5
    -2
      lists.yaml
  6. +4
    -1
      logger.yaml
  7. +5
    -2
      mail.yaml
  8. +6
    -3
      projects.yaml
  9. +0
    -118
      roles/lxc_guest/tasks/main.yaml
  10. +8
    -0
      roles/ssh_server/handlers/main.yaml
  11. +132
    -0
      roles/ssh_server/tasks/main.yaml
  12. +5
    -2
      team_server.yaml
  13. +5
    -2
      users.yaml
  14. +5
    -2
      webmail.yaml
  15. +3
    -0
      wiki.yaml

+ 5
- 2
blogs.yaml View File

@ -1,8 +1,11 @@
---
- hosts: biff
roles:
- role: lxc_guest
vm_name: blogs
- role: lxc_guest
vm_name: blogs
- role: ssh_server
connection: lxc_ssh
ansible_docker_extra_args: blogs
- hosts: blogs
roles:
- role: wordpress


+ 2
- 1
firewall.yaml View File

@ -1,4 +1,5 @@
---
- hosts: gandalf2
roles:
- role: openvpn
- role: openvpn
- role: ssh_server

+ 5
- 2
ldap.yaml View File

@ -1,8 +1,11 @@
---
- hosts: biff
roles:
- role: lxc_guest
vm_name: ldap
- role: lxc_guest
vm_name: ldap
- role: ssh_server
connection: lxc_ssh
ansible_docker_extra_args: ldap
- hosts: ldap
roles:
- role: ldap


+ 594
- 0
library/lxc_ssh.py View File

@ -0,0 +1,594 @@
# Copyright 2016 Pierre Chifflier <pollux@wzdftpd.net>
#
# SSH + lxc-attach connection module for Ansible 2.0
#
# Adapted from ansible/plugins/connection/ssh.py
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
#
import fcntl
import os
import pipes
import pty
import select
import shlex
import subprocess
from ansible import constants as C
from ansible.compat.six import text_type, binary_type
from ansible.plugins.connection import ConnectionBase
from ansible.utils.path import unfrackpath, makedirs_safe
from ansible.module_utils._text import to_bytes, to_text
try:
from __main__ import display
except ImportError:
from ansible.utils.display import Display
display = Display()
class Connection(ConnectionBase):
transport = 'lxc_ssh'
has_pipelining = True
def __init__(self, play_context, new_stdin, *args, **kwargs):
#print args
#print kwargs
super(Connection, self).__init__(play_context, new_stdin, *args, **kwargs)
self.host=self._play_context.remote_addr
self.container_name = play_context.docker_extra_args # XXX
def _connect(self):
''' connect to the lxc; nothing to do here '''
display.vvv('XXX connect')
super(Connection, self)._connect()
#self.container_name = self.ssh._play_context.remote_addr
# self._play_context.ssh_extra_args = ""
#self.container = None
@staticmethod
def _persistence_controls(command):
'''
Takes a command array and scans it for ControlPersist and ControlPath
settings and returns two booleans indicating whether either was found.
This could be smarter, e.g. returning false if ControlPersist is 'no',
but for now we do it simple way.
'''
controlpersist = False
controlpath = False
for arg in command:
if 'controlpersist' in arg.lower():
controlpersist = True
elif 'controlpath' in arg.lower():
controlpath = True
return controlpersist, controlpath
@staticmethod
def _split_args(argstring):
"""
Takes a string like '-o Foo=1 -o Bar="foo bar"' and returns a
list ['-o', 'Foo=1', '-o', 'Bar=foo bar'] that can be added to
the argument list. The list will not contain any empty elements.
"""
return [to_text(x.strip()) for x in shlex.split(to_bytes(argstring)) if x.strip()]
def _add_args(self, explanation, args):
"""
Adds the given args to self._command and displays a caller-supplied
explanation of why they were added.
"""
self._command += args
display.vvvvv('SSH: ' + explanation + ': (%s)' % ')('.join(args), host=self._play_context.remote_addr)
def _build_command(self, binary, *other_args):
self._command = []
self._command += [binary]
self._command += ['-C']
if self._play_context.verbosity > 3:
self._command += ['-vvv']
elif binary == 'ssh':
# Older versions of ssh (e.g. in RHEL 6) don't accept sftp -q.
self._command += ['-q']
# Next, we add [ssh_connection]ssh_args from ansible.cfg.
# if self._play_context.ssh_args:
# args = self._split_args(self._play_context.ssh_args)
# self._add_args("ansible.cfg set ssh_args", args)
# Now we add various arguments controlled by configuration file settings
# (e.g. host_key_checking) or inventory variables (ansible_ssh_port) or
# a combination thereof.
if not C.HOST_KEY_CHECKING:
self._add_args(
"ANSIBLE_HOST_KEY_CHECKING/host_key_checking disabled",
("-o", "StrictHostKeyChecking=no")
)
if self._play_context.port is not None:
self._add_args(
"ANSIBLE_REMOTE_PORT/remote_port/ansible_port set",
("-o", "Port={0}".format(self._play_context.port))
)
key = self._play_context.private_key_file
if key:
self._add_args(
"ANSIBLE_PRIVATE_KEY_FILE/private_key_file/ansible_ssh_private_key_file set",
("-o", "IdentityFile=\"{0}\"".format(os.path.expanduser(key)))
)
if not self._play_context.password:
self._add_args(
"ansible_password/ansible_ssh_pass not set", (
"-o", "KbdInteractiveAuthentication=no",
"-o", "PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey",
"-o", "PasswordAuthentication=no"
)
)
user = self._play_context.remote_user
if user:
self._add_args(
"ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set",
("-o", "User={0}".format(to_bytes(self._play_context.remote_user)))
)
self._add_args(
"ANSIBLE_TIMEOUT/timeout set",
("-o", "ConnectTimeout={0}".format(self._play_context.timeout))
)
# Check if ControlPersist is enabled and add a ControlPath if one hasn't
# already been set.
controlpersist, controlpath = self._persistence_controls(self._command)
if controlpersist:
self._persistent = True
if not controlpath:
cpdir = unfrackpath('$HOME/.ansible/cp')
# The directory must exist and be writable.
makedirs_safe(cpdir, 0o700)
if not os.access(cpdir, os.W_OK):
raise AnsibleError("Cannot write to ControlPath %s" % cpdir)
args = ("-o", "ControlPath={0}".format(
to_bytes(C.ANSIBLE_SSH_CONTROL_PATH % dict(directory=cpdir)))
)
self._add_args("found only ControlPersist; added ControlPath", args)
## Finally, we add any caller-supplied extras.
if other_args:
self._command += other_args
return self._command
def _send_initial_data(self, fh, in_data):
'''
Writes initial data to the stdin filehandle of the subprocess and closes
it. (The handle must be closed; otherwise, for example, "sftp -b -" will
just hang forever waiting for more commands.)
'''
display.debug('Sending initial data')
try:
fh.write(in_data)
fh.close()
except (OSError, IOError):
raise AnsibleConnectionFailure('SSH Error: data could not be sent to the remote host. Make sure this host can be reached over ssh')
display.debug('Sent initial data (%d bytes)' % len(in_data))
# Used by _run() to kill processes on failures
@staticmethod
def _terminate_process(p):
""" Terminate a process, ignoring errors """
try:
p.terminate()
except (OSError, IOError):
pass
# This is separate from _run() because we need to do the same thing for stdout
# and stderr.
def _examine_output(self, source, state, chunk, sudoable):
'''
Takes a string, extracts complete lines from it, tests to see if they
are a prompt, error message, etc., and sets appropriate flags in self.
Prompt and success lines are removed.
Returns the processed (i.e. possibly-edited) output and the unprocessed
remainder (to be processed with the next chunk) as strings.
'''
output = []
for l in chunk.splitlines(True):
suppress_output = False
#display.debug("Examining line (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n')))
if self._play_context.prompt and self.check_password_prompt(l):
display.debug("become_prompt: (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n')))
self._flags['become_prompt'] = True
suppress_output = True
elif self._play_context.success_key and self.check_become_success(l):
display.debug("become_success: (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n')))
self._flags['become_success'] = True
suppress_output = True
elif sudoable and self.check_incorrect_password(l):
display.debug("become_error: (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n')))
self._flags['become_error'] = True
elif sudoable and self.check_missing_password(l):
display.debug("become_nopasswd_error: (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n')))
self._flags['become_nopasswd_error'] = True
if not suppress_output:
output.append(l)
# The chunk we read was most likely a series of complete lines, but just
# in case the last line was incomplete (and not a prompt, which we would
# have removed from the output), we retain it to be processed with the
# next chunk.
remainder = ''
if output and not output[-1].endswith('\n'):
remainder = output[-1]
output = output[:-1]
return ''.join(output), remainder
def _run(self, cmd, in_data, sudoable=True):
'''
Starts the command and communicates with it until it ends.
'''
display_cmd = map(to_text, map(pipes.quote, cmd))
display.vvv(u'SSH: EXEC {0}'.format(u' '.join(display_cmd)), host=self.host)
# Start the given command. If we don't need to pipeline data, we can try
# to use a pseudo-tty (ssh will have been invoked with -tt). If we are
# pipelining data, or can't create a pty, we fall back to using plain
# old pipes.
p = None
if isinstance(cmd, (text_type, binary_type)):
cmd = to_bytes(cmd)
else:
cmd = map(to_bytes, cmd)
if not in_data:
try:
# Make sure stdin is a proper pty to avoid tcgetattr errors
master, slave = pty.openpty()
p = subprocess.Popen(cmd, stdin=slave, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
stdin = os.fdopen(master, 'w', 0)
os.close(slave)
except (OSError, IOError):
p = None
if not p:
p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
stdin = p.stdin
# If we are using SSH password authentication, write the password into
# the pipe we opened in _build_command.
if self._play_context.password:
os.close(self.sshpass_pipe[0])
os.write(self.sshpass_pipe[1], "{0}\n".format(to_bytes(self._play_context.password)))
os.close(self.sshpass_pipe[1])
## SSH state machine
#
# Now we read and accumulate output from the running process until it
# exits. Depending on the circumstances, we may also need to write an
# escalation password and/or pipelined input to the process.
states = [
'awaiting_prompt', 'awaiting_escalation', 'ready_to_send', 'awaiting_exit'
]
# Are we requesting privilege escalation? Right now, we may be invoked
# to execute sftp/scp with sudoable=True, but we can request escalation
# only when using ssh. Otherwise we can send initial data straightaway.
state = states.index('ready_to_send')
if b'ssh' in cmd:
if self._play_context.prompt:
# We're requesting escalation with a password, so we have to
# wait for a password prompt.
state = states.index('awaiting_prompt')
display.debug('Initial state: %s: %s' % (states[state], self._play_context.prompt))
elif self._play_context.become and self._play_context.success_key:
# We're requesting escalation without a password, so we have to
# detect success/failure before sending any initial data.
state = states.index('awaiting_escalation')
display.debug('Initial state: %s: %s' % (states[state], self._play_context.success_key))
# We store accumulated stdout and stderr output from the process here,
# but strip any privilege escalation prompt/confirmation lines first.
# Output is accumulated into tmp_*, complete lines are extracted into
# an array, then checked and removed or copied to stdout or stderr. We
# set any flags based on examining the output in self._flags.
stdout = stderr = ''
tmp_stdout = tmp_stderr = ''
self._flags = dict(
become_prompt=False, become_success=False,
become_error=False, become_nopasswd_error=False
)
# select timeout should be longer than the connect timeout, otherwise
# they will race each other when we can't connect, and the connect
# timeout usually fails
timeout = 2 + self._play_context.timeout
rpipes = [p.stdout, p.stderr]
for fd in rpipes:
fcntl.fcntl(fd, fcntl.F_SETFL, fcntl.fcntl(fd, fcntl.F_GETFL) | os.O_NONBLOCK)
# If we can send initial data without waiting for anything, we do so
# before we call select.
if states[state] == 'ready_to_send' and in_data:
self._send_initial_data(stdin, in_data)
state += 1
while True:
rfd, wfd, efd = select.select(rpipes, [], [], timeout)
# We pay attention to timeouts only while negotiating a prompt.
if not rfd:
if state <= states.index('awaiting_escalation'):
# If the process has already exited, then it's not really a
# timeout; we'll let the normal error handling deal with it.
if p.poll() is not None:
break
self._terminate_process(p)
raise AnsibleError('Timeout (%ds) waiting for privilege escalation prompt: %s' % (timeout, stdout))
# Read whatever output is available on stdout and stderr, and stop
# listening to the pipe if it's been closed.
if p.stdout in rfd:
chunk = p.stdout.read()
if chunk == '':
rpipes.remove(p.stdout)
tmp_stdout += chunk
display.debug("stdout chunk (state=%s):\n>>>%s<<<\n" % (state, chunk))
if p.stderr in rfd:
chunk = p.stderr.read()
if chunk == '':
rpipes.remove(p.stderr)
tmp_stderr += chunk
display.debug("stderr chunk (state=%s):\n>>>%s<<<\n" % (state, chunk))
# We examine the output line-by-line until we have negotiated any
# privilege escalation prompt and subsequent success/error message.
# Afterwards, we can accumulate output without looking at it.
if state < states.index('ready_to_send'):
if tmp_stdout:
output, unprocessed = self._examine_output('stdout', states[state], tmp_stdout, sudoable)
stdout += output
tmp_stdout = unprocessed
if tmp_stderr:
output, unprocessed = self._examine_output('stderr', states[state], tmp_stderr, sudoable)
stderr += output
tmp_stderr = unprocessed
else:
stdout += tmp_stdout
stderr += tmp_stderr
tmp_stdout = tmp_stderr = ''
# If we see a privilege escalation prompt, we send the password.
# (If we're expecting a prompt but the escalation succeeds, we
# didn't need the password and can carry on regardless.)
if states[state] == 'awaiting_prompt':
if self._flags['become_prompt']:
display.debug('Sending become_pass in response to prompt')
stdin.write('{0}\n'.format(to_bytes(self._play_context.become_pass )))
self._flags['become_prompt'] = False
state += 1
elif self._flags['become_success']:
state += 1
# We've requested escalation (with or without a password), now we
# wait for an error message or a successful escalation.
if states[state] == 'awaiting_escalation':
if self._flags['become_success']:
display.debug('Escalation succeeded')
self._flags['become_success'] = False
state += 1
elif self._flags['become_error']:
display.debug('Escalation failed')
self._terminate_process(p)
self._flags['become_error'] = False
raise AnsibleError('Incorrect %s password' % self._play_context.become_method)
elif self._flags['become_nopasswd_error']:
display.debug('Escalation requires password')
self._terminate_process(p)
self._flags['become_nopasswd_error'] = False
raise AnsibleError('Missing %s password' % self._play_context.become_method)
elif self._flags['become_prompt']:
# This shouldn't happen, because we should see the "Sorry,
# try again" message first.
display.debug('Escalation prompt repeated')
self._terminate_process(p)
self._flags['become_prompt'] = False
raise AnsibleError('Incorrect %s password' % self._play_context.become_method)
# Once we're sure that the privilege escalation prompt, if any, has
# been dealt with, we can send any initial data and start waiting
# for output.
if states[state] == 'ready_to_send':
if in_data:
self._send_initial_data(stdin, in_data)
state += 1
# Now we're awaiting_exit: has the child process exited? If it has,
# and we've read all available output from it, we're done.
if p.poll() is not None:
if not rpipes or not rfd:
break
# When ssh has ControlMaster (+ControlPath/Persist) enabled, the
# first connection goes into the background and we never see EOF
# on stderr. If we see EOF on stdout and the process has exited,
# we're probably done. We call select again with a zero timeout,
# just to make certain we don't miss anything that may have been
# written to stderr between the time we called select() and when
# we learned that the process had finished.
if p.stdout not in rpipes:
timeout = 0
continue
# If the process has not yet exited, but we've already read EOF from
# its stdout and stderr (and thus removed both from rpipes), we can
# just wait for it to exit.
elif not rpipes:
p.wait()
break
# Otherwise there may still be outstanding data to read.
# close stdin after process is terminated and stdout/stderr are read
# completely (see also issue #848)
stdin.close()
if C.HOST_KEY_CHECKING:
if cmd[0] == b"sshpass" and p.returncode == 6:
raise AnsibleError('Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this. Please add this host\'s fingerprint to your known_hosts file to manage this host.')
controlpersisterror = 'Bad configuration option: ControlPersist' in stderr or 'unknown configuration option: ControlPersist' in stderr
if p.returncode != 0 and controlpersisterror:
raise AnsibleError('using -c ssh on certain older ssh versions may not support ControlPersist, set ANSIBLE_SSH_ARGS="" (or ssh_args in [ssh_connection] section of the config file) before running again')
if p.returncode == 255 and in_data:
raise AnsibleConnectionFailure('SSH Error: data could not be sent to the remote host. Make sure this host can be reached over ssh')
return (p.returncode, stdout, stderr)
def _exec_command(self, cmd, in_data=None, sudoable=True):
''' run a command on the remote host '''
super(Connection, self).exec_command(cmd, in_data=in_data, sudoable=sudoable)
display.vvv(u"ESTABLISH SSH CONNECTION FOR USER: {0}".format(self._play_context.remote_user), host=self._play_context.remote_addr)
# we can only use tty when we are not pipelining the modules. piping
# data into /usr/bin/python inside a tty automatically invokes the
# python interactive-mode but the modules are not compatible with the
# interactive-mode ("unexpected indent" mainly because of empty lines)
if in_data:
cmd = self._build_command('ssh', self.host, cmd)
else:
cmd = self._build_command('ssh', '-tt', self.host, cmd)
(returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=sudoable)
return (returncode, stdout, stderr)
def dir_print(self,obj):
for attr_name in dir(obj):
try:
attr_value = getattr(obj, attr_name)
print(attr_name, attr_value, callable(attr_value))
except:
pass
def exec_command(self, cmd, in_data=None, sudoable=False):
''' run a command on the chroot '''
display.vvv('XXX exec_command: %s' % cmd)
super(Connection, self).exec_command(cmd, in_data=in_data, sudoable=sudoable)
# print dir(self)
# print dir(self._play_context)
# print self._play_context._attributes
# self.dir_print(self._play_context)
# print dir(self._play_context._vars)
# print self._play_context._attributes['vars']
# vm = self._play_context.get_ds()
# print( vm )
# raise "blah"
h = self.container_name
lxc_cmd = 'lxc-attach --name %s -- /bin/sh -c %s' \
% (pipes.quote(h),
pipes.quote(cmd))
if in_data:
cmd = self._build_command('ssh', self.host, lxc_cmd)
else:
cmd = self._build_command('ssh', '-tt', self.host, lxc_cmd)
#self.ssh.exec_command(lxc_cmd,in_data,sudoable)
(returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=sudoable)
return (returncode, stdout, stderr)
def put_file(self, in_path, out_path):
''' transfer a file from local to lxc '''
display.vvv('XXX put_file %s %s' % (in_path,out_path))
super(Connection, self).put_file(in_path, out_path)
if not os.path.exists(in_path):
raise errors.AnsibleFileNotFound("file or module does not exist: %s" % in_path)
with open(in_path,'r') as in_f:
in_data = in_f.read()
cmd = ('cat > %s; echo -n done' % pipes.quote(out_path))
h = self.container_name
lxc_cmd = 'lxc-attach --name %s -- /bin/sh -c %s' \
% (pipes.quote(h),
pipes.quote(cmd))
if in_data:
cmd = self._build_command('ssh', self.host, lxc_cmd)
else:
cmd = self._build_command('ssh', '-tt', self.host, lxc_cmd)
#self.ssh.exec_command(lxc_cmd,in_data,sudoable)
(returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=False)
return (returncode, stdout, stderr)
def fetch_file(self, in_path, out_path):
''' fetch a file from lxc to local '''
display.vvv('XXX fetch_file %s %s' % (in_path,out_path))
super(Connection, self).fetch_file(in_path, out_path)
cmd = ('cat %s' % pipes.quote(in_path))
h = self.container_name
lxc_cmd = 'lxc-attach --name %s -- /bin/sh -c %s' \
% (pipes.quote(h),
pipes.quote(cmd))
in_data = None
if in_data:
cmd = self._build_command('ssh', self.host, lxc_cmd)
else:
cmd = self._build_command('ssh', '-tt', self.host, lxc_cmd)
(returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=False)
if returncode != 0:
raise AnsibleError("failed to transfer file from {0}:\n{1}\n{2}".format(in_path, stdout, stderr))
with open(out_path,'w') as out_f:
out_f.write(stdout)
def close(self):
''' terminate the connection; nothing to do here '''
display.vvv('XXX close')
super(Connection, self).close()
#self.ssh.close()
self._connected = False

+ 5
- 2
lists.yaml View File

@ -1,8 +1,11 @@
---
- hosts: biff
roles:
- role: lxc_guest
vm_name: lists
- role: lxc_guest
vm_name: lists
- role: ssh_server
connection: lxc_ssh
ansible_docker_extra_args: lists
- hosts: lists
roles:
- role: sympa

+ 4
- 1
logger.yaml View File

@ -3,6 +3,9 @@
roles:
- role: lxc_guest
vm_name: logger
- role: ssh_server
connection: lxc_ssh
ansible_docker_extra_args: logger
- hosts: all
tasks:
@ -35,7 +38,7 @@
- hosts: all
vars:
- log_destination:
- log_destination:
tasks:
- name: Configure rsyslog client
template:


+ 5
- 2
mail.yaml View File

@ -1,8 +1,11 @@
---
- hosts: biff
roles:
- role: lxc_guest
vm_name: mail
- role: lxc_guest
vm_name: mail
- role: ssh_server
connection: lxc_ssh
ansible_docker_extra_args: mail
- hosts: mail
roles:
- role: postfix


+ 6
- 3
projects.yaml View File

@ -1,9 +1,12 @@
---
- hosts: biff
roles:
- role: lxc_guest
vm_name: projects
# distro: sid
- role: lxc_guest
vm_name: projects
# distro: sid
- role: ssh_server
connection: lxc_ssh
ansible_docker_extra_args: projects
- hosts: projects
roles:
- role: gitlab

+ 0
- 118
roles/lxc_guest/tasks/main.yaml View File

@ -72,96 +72,6 @@
register: container_dns_configuration
changed_when: "container_dns_configuration.stdout != 'nameserver {{ hostvars[ext_gateway].ansible_host }}'"
- name: Check if host certificate exists
container_file_exists:
name: "{{ vm_name }}"
path: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
register: vm_ssh_certificate_exists
- debug:
var: vm_ssh_certificate_exists
verbosity: 2
- block:
- name: Read host public key
container_file_read:
name: "{{ vm_name }}"
path: "/etc/ssh/ssh_host_ed25519_key.pub"
register: vm_public_key
- debug:
var: vm_public_key
verbosity: 2
- name: generate host request
set_fact:
cert_request:
type: 'sign_request'
request:
keyType: 'ssh_host'
hostName: '{{ vm_name }}'
keyData: '{{ vm_public_key.text }}'
- debug:
var: cert_request
verbosity: 2
- name: start sign request
raw: "{{ cert_request | to_json }}"
delegate_to: ca_request
delegate_facts: True
register: request_result
failed_when: "( request_result.stdout | from_json ).failed"
- debug:
var: request_result
verbosity: 2
- set_fact:
request_output: "{{ request_result.results[0].stdout | from_json }}"
- debug:
var: request_output
verbosity: 2
- name: generate get request
set_fact:
get_request:
type: 'get_certificate'
requestID: '{{ request_output.requestID }}'
- debug:
var: get_request
verbosity: 2
- debug:
msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"
- name: wait for cert
raw: "{{ get_request | to_json }}"
delegate_to: ca_request
delegate_facts: True
register: cert_result
failed_when: "(cert_result.stdout | from_json).failed"
- debug:
var: cert_result
verbosity: 2
- set_fact:
cert_key: "{{ cert_result.results[0].stdout | string | from_json }}"
- name: Write certificate to container
container_file_write:
name: "{{ vm_name }}"
path: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
text: "{{ cert_key.result }}"
register: set_pub_key
notify: restart container
when: "not vm_ssh_certificate_exists.exists"
- name: update container network configuration
shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep -F 'iface eth0 inet manual' /etc/network/interfaces || sed -i 's/iface eth0 inet dhcp/iface eth0 inet manual/' /etc/network/interfaces"
register: container_network
@ -174,38 +84,10 @@
changed_when: "install_packages.stdout.find('0 newly installed') == -1"
notify: restart container
- name: lookup user ca key
set_fact:
user_ca_key: "{{ lookup('file', 'test_ssh_ca.pub') }}"
- name: Update container user CA key
container_file_write:
name: "{{ vm_name }}"
path: "/etc/ssh/user_ca.pub"
text: "ssh-rsa {{ user_ca_key }}"
- name: trust user ca key
shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep -F 'TrustedUserCAKeys /etc/ssh/user_ca.pub' /etc/ssh/sshd_config || echo 'TrustedUserCAKeys /etc/ssh/user_ca.pub' >> /etc/ssh/sshd_config"
register: trust_ca_key
changed_when: "trust_ca_key.stdout != 'TrustedUserCAKeys /etc/ssh/user_ca.pub'"
notify: restart container
# Restart container when one in
# - container_dns_configuration
# - network conf has changed
# - set_pub_key
# - install_packages
# - trust_ca_key
# - container_network
# is changed by executing handlers now
- meta: flush_handlers
- name: "waiting for ssh on {{ vm_name }} vm to start"
wait_for:
host: "{{ hostvars[vm_name]['ansible_host'] }}"
port: 22
timeout: 30
delegate_to: "{{ inventory_hostname }}"
delegate_facts: True
- pause: seconds=20

+ 8
- 0
roles/ssh_server/handlers/main.yaml View File

@ -0,0 +1,8 @@
---
- include: service.yaml
# static: yes # see static include issue: https://github.com/ansible/ansible/issues/13485
vars:
service_name: ssh
service_packages:
- openssh

+ 132
- 0
roles/ssh_server/tasks/main.yaml View File

@ -0,0 +1,132 @@
- include: service.yaml
# static: yes # see static include issue: https://github.com/ansible/ansible/issues/13485
vars:
service_name: ssh
service_packages:
- openssh-server
- name: Check if host certificate exists
stat:
path: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
register: vm_ssh_certificate_exists
- debug:
var: vm_ssh_certificate_exists
verbosity: 2
- block:
- name: Read host public key
slurp:
src: "/etc/ssh/ssh_host_ed25519_key.pub"
register: vm_public_key
- debug:
var: vm_public_key['content']
verbosity: 2
- name: read hostname
shell: /bin/hostname
register: hostname_result
changed_when: false
- name: generate host request
set_fact:
cert_request:
type: 'sign_request'
request:
keyType: 'ssh_host'
hostName: '{{ hostname_result.stdout }}'
keyData: "{{ vm_public_key['content'] | b64decode | replace('\n', '')}}"
- debug:
var: cert_request | to_json
verbosity: 2
- name: start sign request
raw: "{{ cert_request | to_json }}"
delegate_to: ca_request
delegate_facts: True
connection: ssh
register: request_result
failed_when: "( request_result.stdout | from_json ).failed"
- debug:
var: request_result
verbosity: 2
- set_fact:
request_output: "{{ request_result.stdout | from_json }}"
- debug:
var: request_output
verbosity: 2
- name: generate get request
set_fact:
get_request:
type: 'get_certificate'
requestID: '{{ request_output.requestID }}'
- debug:
var: get_request
verbosity: 2
- debug:
msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"
- name: wait for cert
raw: "{{ get_request | to_json }}"
delegate_to: ca_request
delegate_facts: True
connection: ssh
register: cert_result
failed_when: "(cert_result.stdout | from_json).failed"
- debug:
var: cert_result
verbosity: 2
- set_fact:
cert_key: "{{ cert_result.stdout | string | from_json }}"
- name: Write certificate to container
copy:
content: "{{ cert_key.result }}"
dest: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
register: set_pub_key
notify: restart ssh
when: "not vm_ssh_certificate_exists.stat.exists"
- name: lookup user ca key
set_fact:
user_ca_key: "{{ lookup('file', 'test_ssh_ca.pub') }}"
- name: Update container user CA key
copy:
content: "ssh-rsa {{ user_ca_key }}"
dest: "/etc/ssh/user_ca.pub"
- name: add certificate to sshd config
lineinfile:
line: 'HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub'
dest: '/etc/ssh/sshd_config'
regexp: '^HostCertificate *'
notify: restart ssh
- name: trust user ca key
lineinfile:
line: 'TrustedUserCAKeys /etc/ssh/user_ca.pub'
dest: '/etc/ssh/sshd_config'
regexp: '^TrustedUserCAKeys *'
notify: restart ssh
- meta: flush_handlers
- name: "waiting for ssh on {{ inventory_hostname }} vm to start"
wait_for:
host: "{{ hostvars[inventory_hostname]['ansible_host'] }}"
port: 22
timeout: 30
delegate_to: "{{ inventory_hostname }}"
delegate_facts: True

+ 5
- 2
team_server.yaml View File

@ -1,8 +1,11 @@
---
- hosts: lilikhost
roles:
- role: lxc_guest
vm_name: team
- role: lxc_guest
vm_name: team
- role: ssh_server
connection: lxc_ssh
ansible_docker_extra_args: team
- hosts: team
roles:
- role: mattermost


+ 5
- 2
users.yaml View File

@ -1,8 +1,11 @@
---
- hosts: biff
roles:
- role: lxc_guest
vm_name: users
- role: lxc_guest
vm_name: users
- role: ssh_server
connection: lxc_ssh
ansible_docker_extra_args: users
- hosts: users
roles:
- role: fail2ban


+ 5
- 2
webmail.yaml View File

@ -1,8 +1,11 @@
---
- hosts: biff
roles:
- role: lxc_guest
vm_name: webmail
- role: lxc_guest
vm_name: webmail
- role: ssh_server
connection: lxc_ssh
ansible_docker_extra_args: webmail
- hosts: webmail
roles:
- role: roundcube


+ 3
- 0
wiki.yaml View File

@ -3,6 +3,9 @@
roles:
- role: lxc_guest
vm_name: wiki
- role: ssh_server
connection: lxc_ssh
ansible_docker_extra_args: wiki
- hosts: wiki
roles:
- role: dokuwiki

Loading…
Cancel
Save