🐛 Bug - OS/Distro specific built-in users spread to different(wrong) OS #13

New issue

Closed

opened 2018-09-19 17:33:57 +00:00 by reelsense · 3 comments

reelsense commented 2018-09-19 17:33:57 +00:00 (Migrated from github.com)

Copy link

• Add/remove users, groups, and user variables like default shell.
  • With a caveats for built-in AMI/vagrant users like ubuntu, vagrant, or ec2-user.

...

I always need to add the same users to my servers but I don't want to add an ubuntu user to a FreeBSD server. Nor do I want to add the default FreeBSD AMI user; "ec2-user", to an Ubuntu server. I want those default accounts to stay, but I still want to be able to update them like the other user accounts. - https://github.com/stationgroup/ansible-experiments/issues/9#issue-343283051

My ubuntu user/configs for Ubuntu on EC2 end up on my FreeBSD instances. Same with the ec2-user in the FreeBSD AMI.

I know, you're probably thinking "Oh not again, you're doing it wrong". Please advice what method I should be using if this was completed.

List of global users:
remember
direct
degree
sand
grief
jam
king

Exclusive users:
ubuntu (Ubuntu AMI)
ec2-user (FreeBSD AMI)
vagrant (FreeBSD, Ubuntu, Debian, etc)

>* Add/remove **users, groups, and user variables** like default shell. > * With a caveats for built-in AMI/vagrant users like `ubuntu`, `vagrant`, or `ec2-user`. > >... > >I always need to add the same users to my servers but I don't want to add an `ubuntu` user to a _FreeBSD_ server. Nor do I want to add the default _FreeBSD AMI_ user; _"`ec2-user`"_, to an _Ubuntu_ server. _I want those default accounts to stay_, but _I still want to be able to update them_ like the other user accounts. - https://github.com/stationgroup/ansible-experiments/issues/9#issue-343283051 My `ubuntu` user/configs for _Ubuntu_ on EC2 end up on my _FreeBSD_ instances. Same with the `ec2-user` in the _FreeBSD_ AMI. I know, you're probably thinking _"Oh not again, you're doing it wrong"_. [Please advice what method I should be using](https://github.com/stationgroup/ansible-experiments/tree/master/add-users-groups-authorized_keys-dot-files/roles/users) if this was completed. List of _global_ users: `remember` `direct` `degree` `sand` `grief` `jam` `king` Exclusive users: `ubuntu` _(Ubuntu AMI)_ `ec2-user` _(FreeBSD AMI)_ `vagrant` _(FreeBSD, Ubuntu, Debian, etc)_

srgvg commented 2018-09-20 06:07:08 +00:00 (Migrated from github.com)

Copy link

Can you show your inventory and how you configure for this? (/cc @vincentvdk)

Can you show your inventory and how you configure for this? (/cc @vincentvdk)

reelsense commented 2018-09-20 16:54:53 +00:00 (Migrated from github.com)

Copy link

 

(Click to expand `hosts` inventory)

[ubuntu-office]
redacted

[ubuntu-ec2]
redacted

[ubuntu-lab]
lab1 ansible_host=10.0.0.43 ansible_user=ubuntu ansible_python_interpreter=/usr/bin/python3
lab2 ansible_host=10.0.0.79 ansible_user=ubuntu ansible_python_interpreter=/usr/bin/python3
bastion-lab ansible_host=10.0.0.61 ansible_user=ubuntu ansible_python_interpreter=/usr/bin/python3

[debian]
redacted


[ubuntu:vars]
ansible_python_interpreter=/usr/bin/python3

[usa:children]
ubuntu-office
ubuntu-ec2
ubuntu-vultr
ubuntu-lab
freebsd-office
freebsd-ec2
freebsd-vultr
freebsd-lab

[ubuntu:children]
usa

[freebsd:children]
usa

[freebsd-lab]
lab3 ansible_host=10.0.0.219 ansible_user=ec2-user ansible_python_interpreter=/usr/local/bin/python
lab4 ansible_host=10.0.0.162 ansible_user=ec2-user ansible_python_interpreter=/usr/local/bin/python

[freebsd-vultr]
redacted

---

 

(Click to expand `ansible.cfg`)

[ssh_connection]

[defaults]
retry_files_enabled = False
retry_files_save_path = /tmp/
inventory=./hosts
host_key_checking=false
gathering = smart
stdout_callback=unixy
#stdout_callback=debug

[privilege_escalation]
#become=True
#become_method=su
#become_user=root
#become_ask_pass=False

I added had to add the privilege escalation in the roles to fix broken/erroring FreeBSD stuff (Ubuntu always worked fine).

---

I've copied the stuff below from the comment in the ssh_config file Issue: https://github.com/stationgroup/ansible-experiments/issues/11#issuecomment-422962420

 

(Click to expand group_vars/all)

---
user_groups:
  - name: test
    gid: 799
    state: absent
    

users:
  - name: ec2-user
    state: present
    enable_sudo: true
    keys:
      - file: ec2-user
        state: present
  - name: ubuntu
    state: present
    enable_sudo: true
    keys: 
      - file: ubuntu
        state: present
    bash_lines:
      - line: 'export GPG_AGENT_INFO="${HOME}/.gnupg/S.gpg-agent:0:1"'
        state: absent
    bash_lines:
      - line: 'export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent"'
        state: present
    bash_blocks:
      - content: |
          # SSH with GPG key on Yubikey
          export GPG_TTY="$(tty)"
          export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent"
        state: absent
      - content: |
          ###
          ## Filecount in a directory.
          alias filecount='find . -maxdepth 1 -type f -print | wc -l'
          ## Reload shell
          alias reload-bash_profile="source ~/.bashrc"
          ###
          

          ###
          # Change UP and DOWN arrows to cycle through previous entrys of the current command. Like FreeBSD.
          # From http://www.ukuug.org/events/linux2003/papers/bash_tips/
          # Incremental searching with Up and Down is configured in .inputrc
          bind '"\e[A": history-search-backward'
          bind '"\e[B": history-search-forward'
          
          #"\e[5~": history-search-backward
          #"\e[6~": history-search-forward
          #This allows you to continue using arrows for absolute chronological history then use PageUp and PageDn for history search.
          #You could also change it to.
          #"\e[5~": history-substring-search-backward
          #"\e[6~": history-substring-search-forward
          ###
        state: present
    ssh_config:
      - line: "ServerAliveInterval: 10"
      - line: "StreamLocalBindUnlink: yes"

I'm using:

    ssh_config:
      - line: "ServerAliveInterval: 10"
      - line: "StreamLocalBindUnlink: yes"

as per PR #12

---

I've made some minor changes to fix issues a chicken and egg issue with FreeBSD. But nothing that should have broke ssh_config.

 

(Click to expand roles/users/tasks/users.yml)

---
- name: Ensure sudo is installed (Debian)
  become_method: sudo
  apt:
    name: sudo
    update_cache: yes
    cache_valid_time: "{{ apt_cache_valid | default('86400') }}"
  when: ansible_os_family == "Debian"

- name: Ensure sudo is installed (FreeBSD)
  become_method: su
  pkgng:
    name: sudo
    state: present
  when: ansible_os_family == "FreeBSD"

- name: Enable sudo for user (FreeBSD)
  become_method: su
  lineinfile:
    path: "{{ sudoers_path }}/{{ item.name }}"
    line: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL"
    state: present
    create: true
  when:
    - ansible_os_family == "FreeBSD" 
    - item.enable_sudo is defined and item.enable_sudo == true
  with_items: "{{ users }}"

- name: Enable sudo for user (Ubuntu)
  become_method: sudo
  lineinfile:
    path: "{{ sudoers_path }}/{{ item.name }}"
    line: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL"
    state: present
    create: true
  when:
    - ansible_os_family == "Debian"
    - item.enable_sudo is defined and item.enable_sudo == true
  with_items: "{{ users }}"

- name: Add/Remove group
  become_method: sudo
  group:
    name: "{{ item.name }}"
    gid: "{{ item.gid | default(omit) }}"
    state: "{{ item.state | default('present') }}"
  with_items: "{{ user_groups }}"


- name: Add/Remove user
  become_method: sudo
  user:
    name: "{{ item.name }}"
    state: "{{ item.state | default('present') }}"
    password: "{{ item.password | default(omit) }}"
    groups: "{{ item.groups | default(omit) }}"
    uid: "{{ item.uid | default(omit) }}"
    shell: "{{ item.shell | default(default_shell) }}"
    remove: yes
  no_log: False
  with_items: "{{ users }}"


- name: Configure bashrc lines
  become_method: sudo
  lineinfile:
    path: "/home/{{ item.0.name }}/.bashrc"
    line: "{{ item.1.line }}"
    state: "{{ item.1.state | default('present') }}"
    backup: yes
  with_subelements:
    - "{{ users }}"
    - bash_lines
    - skip_missing: true
  when: ansible_os_family == 'Debian' and item.0.state == "present"

- name: Configure bashrc blocks
  become_method: sudo
  blockinfile:
    path: "/home/{{ item.0.name }}/.bashrc"
    content: "{{ item.1.content }}"
    marker: "# {mark} ANSIBLE managed content. Block item #{{ listitem }}"
    state: "{{ item.1.state | default('present') }}"
    backup: yes
  with_subelements:
    - "{{ users }}"
    - bash_blocks
    - skip_missing: true
  when: ansible_os_family == 'Debian' and item.0.state == "present"
  loop_control:
    index_var: listitem

- name: Configure cshrc lines
  become_method: su
  lineinfile:
    path: "/home/{{ item.0.name }}/.cshrc"
    line: "{{ item.1.line }}"
    state: "{{ item.1.state | default('present')}}"
    backup: yes
  with_subelements:
    - "{{ users }}"
    - csh_lines
    - skip_missing: true
  when: ansible_os_family == 'FreeBSD' and item.0.state == "present"

- name: Configure cshrc blocks
  become_method: su
  blockinfile:
    path: "/home/{{ item.0.name }}/.cshrc"
    content: "{{ item.1.content }}"
    marker: "# {mark} ANSIBLE managed content. Block item #{{ listitem }}"
    state: "{{ item.1.state | default('present')}}"
    backup: yes
  with_subelements:
    - "{{ users }}"
    - csh_blocks
    - skip_missing: true
  when: ansible_os_family == 'FreeBSD' and item.0.state == "present"
  loop_control:
    index_var: listitem

- name: Disable sudo for user
  become: true
  file:
    path: "{{ sudoers_path }}/{{ item.name }}"
    state: absent
  when: item.enable_sudo is defined and item.enable_sudo == false
  with_items: "{{ users }}"

- name: Include sudoers.d
  become: true
  lineinfile:
    dest: "{{ sudo_config_path }}"
    state: present
    regexp: '^\#includedir {{ sudoers_path }}'
    line: '#includedir {{ sudoers_path }}'
    validate: 'visudo -cf %s'

<details>   <summary>(Click to expand `hosts` inventory)</summary> ``` [ubuntu-office] redacted [ubuntu-ec2] redacted [ubuntu-lab] lab1 ansible_host=10.0.0.43 ansible_user=ubuntu ansible_python_interpreter=/usr/bin/python3 lab2 ansible_host=10.0.0.79 ansible_user=ubuntu ansible_python_interpreter=/usr/bin/python3 bastion-lab ansible_host=10.0.0.61 ansible_user=ubuntu ansible_python_interpreter=/usr/bin/python3 [debian] redacted [ubuntu:vars] ansible_python_interpreter=/usr/bin/python3 [usa:children] ubuntu-office ubuntu-ec2 ubuntu-vultr ubuntu-lab freebsd-office freebsd-ec2 freebsd-vultr freebsd-lab [ubuntu:children] usa [freebsd:children] usa [freebsd-lab] lab3 ansible_host=10.0.0.219 ansible_user=ec2-user ansible_python_interpreter=/usr/local/bin/python lab4 ansible_host=10.0.0.162 ansible_user=ec2-user ansible_python_interpreter=/usr/local/bin/python [freebsd-vultr] redacted ``` </details> --- <details>   <summary>(Click to expand `ansible.cfg`)</summary> ``` [ssh_connection] [defaults] retry_files_enabled = False retry_files_save_path = /tmp/ inventory=./hosts host_key_checking=false gathering = smart stdout_callback=unixy #stdout_callback=debug [privilege_escalation] #become=True #become_method=su #become_user=root #become_ask_pass=False ``` I added had to add the privilege escalation in the roles to fix broken/erroring _FreeBSD_ stuff _(Ubuntu always worked fine)_. </details> --- I've copied the stuff below from the comment in the `ssh_config` file Issue: https://github.com/stationgroup/ansible-experiments/issues/11#issuecomment-422962420 <details>   <summary>(Click to expand group_vars/all)</summary> ```yaml --- user_groups: - name: test gid: 799 state: absent users: - name: ec2-user state: present enable_sudo: true keys: - file: ec2-user state: present - name: ubuntu state: present enable_sudo: true keys: - file: ubuntu state: present bash_lines: - line: 'export GPG_AGENT_INFO="${HOME}/.gnupg/S.gpg-agent:0:1"' state: absent bash_lines: - line: 'export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent"' state: present bash_blocks: - content: | # SSH with GPG key on Yubikey export GPG_TTY="$(tty)" export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent" state: absent - content: | ### ## Filecount in a directory. alias filecount='find . -maxdepth 1 -type f -print | wc -l' ## Reload shell alias reload-bash_profile="source ~/.bashrc" ### ### # Change UP and DOWN arrows to cycle through previous entrys of the current command. Like FreeBSD. # From http://www.ukuug.org/events/linux2003/papers/bash_tips/ # Incremental searching with Up and Down is configured in .inputrc bind '"\e[A": history-search-backward' bind '"\e[B": history-search-forward' #"\e[5~": history-search-backward #"\e[6~": history-search-forward #This allows you to continue using arrows for absolute chronological history then use PageUp and PageDn for history search. #You could also change it to. #"\e[5~": history-substring-search-backward #"\e[6~": history-substring-search-forward ### state: present ssh_config: - line: "ServerAliveInterval: 10" - line: "StreamLocalBindUnlink: yes" ``` I'm using: ``` ssh_config: - line: "ServerAliveInterval: 10" - line: "StreamLocalBindUnlink: yes" ``` as per PR #12 </details> --- I've made some minor changes to fix issues a chicken and egg issue with _FreeBSD_. But nothing that should have broke ssh_config. <details>   <summary>(Click to expand roles/users/tasks/users.yml)</summary>  ```yaml --- - name: Ensure sudo is installed (Debian) become_method: sudo apt: name: sudo update_cache: yes cache_valid_time: "{{ apt_cache_valid | default('86400') }}" when: ansible_os_family == "Debian" - name: Ensure sudo is installed (FreeBSD) become_method: su pkgng: name: sudo state: present when: ansible_os_family == "FreeBSD" - name: Enable sudo for user (FreeBSD) become_method: su lineinfile: path: "{{ sudoers_path }}/{{ item.name }}" line: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL" state: present create: true when: - ansible_os_family == "FreeBSD" - item.enable_sudo is defined and item.enable_sudo == true with_items: "{{ users }}" - name: Enable sudo for user (Ubuntu) become_method: sudo lineinfile: path: "{{ sudoers_path }}/{{ item.name }}" line: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL" state: present create: true when: - ansible_os_family == "Debian" - item.enable_sudo is defined and item.enable_sudo == true with_items: "{{ users }}" - name: Add/Remove group become_method: sudo group: name: "{{ item.name }}" gid: "{{ item.gid | default(omit) }}" state: "{{ item.state | default('present') }}" with_items: "{{ user_groups }}" - name: Add/Remove user become_method: sudo user: name: "{{ item.name }}" state: "{{ item.state | default('present') }}" password: "{{ item.password | default(omit) }}" groups: "{{ item.groups | default(omit) }}" uid: "{{ item.uid | default(omit) }}" shell: "{{ item.shell | default(default_shell) }}" remove: yes no_log: False with_items: "{{ users }}" - name: Configure bashrc lines become_method: sudo lineinfile: path: "/home/{{ item.0.name }}/.bashrc" line: "{{ item.1.line }}" state: "{{ item.1.state | default('present') }}" backup: yes with_subelements: - "{{ users }}" - bash_lines - skip_missing: true when: ansible_os_family == 'Debian' and item.0.state == "present" - name: Configure bashrc blocks become_method: sudo blockinfile: path: "/home/{{ item.0.name }}/.bashrc" content: "{{ item.1.content }}" marker: "# {mark} ANSIBLE managed content. Block item #{{ listitem }}" state: "{{ item.1.state | default('present') }}" backup: yes with_subelements: - "{{ users }}" - bash_blocks - skip_missing: true when: ansible_os_family == 'Debian' and item.0.state == "present" loop_control: index_var: listitem - name: Configure cshrc lines become_method: su lineinfile: path: "/home/{{ item.0.name }}/.cshrc" line: "{{ item.1.line }}" state: "{{ item.1.state | default('present')}}" backup: yes with_subelements: - "{{ users }}" - csh_lines - skip_missing: true when: ansible_os_family == 'FreeBSD' and item.0.state == "present" - name: Configure cshrc blocks become_method: su blockinfile: path: "/home/{{ item.0.name }}/.cshrc" content: "{{ item.1.content }}" marker: "# {mark} ANSIBLE managed content. Block item #{{ listitem }}" state: "{{ item.1.state | default('present')}}" backup: yes with_subelements: - "{{ users }}" - csh_blocks - skip_missing: true when: ansible_os_family == 'FreeBSD' and item.0.state == "present" loop_control: index_var: listitem - name: Disable sudo for user become: true file: path: "{{ sudoers_path }}/{{ item.name }}" state: absent when: item.enable_sudo is defined and item.enable_sudo == false with_items: "{{ users }}" - name: Include sudoers.d become: true lineinfile: dest: "{{ sudo_config_path }}" state: present regexp: '^\#includedir {{ sudoers_path }}' line: '#includedir {{ sudoers_path }}' validate: 'visudo -cf %s' ``` </details>

reelsense commented 2018-10-21 01:39:19 +00:00 (Migrated from github.com)

Copy link

Resolved ✅

### Resolved ✅

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

No results found.

Labels

Clear labels   

bug

Something isn't working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature or request

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

question

Further information is requested

  

todo

  

todo 🗒️

  

wontfix

This will not be worked on

No labels

bug

duplicate

enhancement

good first issue

help wanted

invalid

question

todo

todo 🗒️

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

stationgroup/ansible-experiments#13

No description provided.