I am a dev and want to use ansible to create dev-setups in VMs for various projects (one VM per project). VM manager commands are used to create a VM from a template, the template contains a stock OS install (typically Linux) with one addition: a public ssh-key specifically for use with ansible has been placed in the VM root user's .ssh/authorized_keys
file. Global vars are then used to set ssh config:
ansible_user: root
ansible_private_key_file: keys/id_rsa_ansible
Then my ansible.cfg
contains some entries for ssh-agent setup:
[ssh_connection]
ssh_args = -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s
With this setup I can launch ansible scripts to perform a number of root tasks such as installing packages & creating user accounts for a set of devs.
On the VM host I am logged in using my dev-users account, say mike
. The ssh-agent setup also ensures that all ssh-keys loaded for user mike
are also available in the VM through the ssh connection.
I now want to perform further, dev-specific tasks as user mike
on the VM (whose account now exists). The main task is to check out the project code which requires mike
s ssh-key.
Using become
uses sudo, which does not forward ssh-keys, so this is not an option. I do not want to push private keys around as they would need to be on the host .. and no longer be private.
The following now determines the devs username on the host & uses it in an ssh command to achieve the checkout. This nicely restricts access to those projects the dev users key works for without further config.
- name: get the devs username running the deploy
become: false
local_action: command whoami
register: username_on_the_host
- name: Test checkout
command: ssh -o StrictHostKeyChecking=no -o ForwardAgent=yes {{ username_on_the_host.stdout }}@localhost "mkdir hg && cd hg && hg clone ssh://hg//hg/my_project"
It works, but it's not a particularly clean solution.
So, finally to come to the question: Is there a cleaner way to switch ssh-session? One way might be to run a totally separate playbook with an ssh-session for the dev user - but this does not seem to be in the spirit of ansible. I want to run an entire block, task, or role as a different ssh user.
This could be achieved if the become
module were to support become_method
ssh
which would retain the ssh-keys in the agent.
ansible_user
in the playbook. So you'd have one file with two playbooks in them each playbook defining a differentansible_user
. – Tomáš Pospíšek