Bug 2232231
| Summary: | kdump system role fails if kdump_ssh_user doesn't have a .ssh/authorized_keys file in home directory | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Brian Smith <briasmit> | |
| Component: | rhel-system-roles | Assignee: | Rich Megginson <rmeggins> | |
| Status: | CLOSED ERRATA | QA Contact: | Jakub Haruda <jharuda> | |
| Severity: | unspecified | Docs Contact: | Sujata Kurup <skurup> | |
| Priority: | unspecified | |||
| Version: | 9.2 | CC: | djez, gfialova, jharuda, lmanasko, rmeggins, spetrosi, vdanek | |
| Target Milestone: | rc | Keywords: | Triaged | |
| Target Release: | 9.3 | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | role:kdump | |||
| Fixed In Version: | rhel-system-roles-1.22.0-1.el9 | Doc Type: | Bug Fix | |
| Doc Text: |
.The `kdump` system role does not fail if `kdump_authorized_keys` is missing
Previously, the `kdump` system role failed to add `SSH` authorized keys if the user defined in the `kdump_ssh_user` variable did not have access to the `.ssh` directory in the `home` directory or an empty `.ssh/authorized_keys` file. With this fix, the `kdump` system role now correctly adds authorized keys to the `SSH` configuration. As a result, the key based authentication works reliably in the described scenario.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 2232392 (view as bug list) | Environment: | ||
| Last Closed: | 2023-11-07 08:29:54 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2232392 | |||
@briasmit can you attach the entire ansible log? [ansible@rhel9-controlnode kdump]$ ansible-playbook -i inventory.yml -b system_roles.yml
PLAY [Run kdump RHEL system role] ****************************************************************************************************************************
TASK [Gathering Facts] ***************************************************************************************************************************************
ok: [rhel9-server1.example.com]
TASK [redhat.rhel_system_roles.kdump : Ensure ansible_facts used by role] ************************************************************************************
included: /usr/share/ansible/collections/ansible_collections/redhat/rhel_system_roles/roles/kdump/tasks/set_vars.yml for rhel9-server1.example.com
TASK [redhat.rhel_system_roles.kdump : Ensure ansible_facts used by role] ************************************************************************************
ok: [rhel9-server1.example.com]
TASK [redhat.rhel_system_roles.kdump : Install required packages] ********************************************************************************************
ok: [rhel9-server1.example.com]
TASK [redhat.rhel_system_roles.kdump : Ensure that kdump is enabled] *****************************************************************************************
ok: [rhel9-server1.example.com]
TASK [redhat.rhel_system_roles.kdump : Include SSH tasks] ****************************************************************************************************
included: /usr/share/ansible/collections/ansible_collections/redhat/rhel_system_roles/roles/kdump/tasks/ssh.yml for rhel9-server1.example.com
TASK [redhat.rhel_system_roles.kdump : Check whether key exists] *********************************************************************************************
ok: [rhel9-server1.example.com]
TASK [redhat.rhel_system_roles.kdump : Create key] ***********************************************************************************************************
changed: [rhel9-server1.example.com]
TASK [redhat.rhel_system_roles.kdump : Fetch key] ************************************************************************************************************
ok: [rhel9-server1.example.com]
TASK [redhat.rhel_system_roles.kdump : Get userinfo for kdump] ***********************************************************************************************
ok: [rhel9-server1.example.com -> rhel9-controlnode.example.com]
TASK [redhat.rhel_system_roles.kdump : Set authorized_keys file path] ****************************************************************************************
ok: [rhel9-server1.example.com]
TASK [redhat.rhel_system_roles.kdump : Get the authorized_keys file for the user] ****************************************************************************
ok: [rhel9-server1.example.com -> rhel9-controlnode.example.com]
TASK [redhat.rhel_system_roles.kdump : Get the authorized_keys contents, if any] *****************************************************************************
skipping: [rhel9-server1.example.com]
TASK [redhat.rhel_system_roles.kdump : Write new authorized_keys if needed] **********************************************************************************
fatal: [rhel9-server1.example.com -> {{ kdump_ssh_server }}]: FAILED! => {"msg": "The conditional check '__kdump_authorized_keys_lines != __kdump_authorized_keys_lines_new' failed. The error was: error while evaluating conditional (__kdump_authorized_keys_lines != __kdump_authorized_keys_lines_new): {{ (__kdump_authorized_keys.content | b64decode).split('\n') | reject('match', '^$') | list if __kdump_authorized_keys is defined else [] }}: 'dict object' has no attribute 'content'. 'dict object' has no attribute 'content'. {{ (__kdump_authorized_keys.content | b64decode).split('\n') | reject('match', '^$') | list if __kdump_authorized_keys is defined else [] }}: 'dict object' has no attribute 'content'. 'dict object' has no attribute 'content'\n\nThe error appears to be in '/usr/share/ansible/collections/ansible_collections/redhat/rhel_system_roles/roles/kdump/tasks/ssh.yml': line 42, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Write new authorized_keys if needed\n ^ here\n"}
PLAY RECAP ***************************************************************************************************************************************************
rhel9-server1.example.com : ok=12 changed=1 unreachable=0 failed=1 skipped=1 rescued=0 ignored=0
Note that if there is no authorized_keys file, the "Get the authorized_keys contents, if any" task is skipped, and the _kdump_authorized_keys.content variable isn't defined. If there is an authorized_keys file (even an empty one), the "Get the authorized_keys contents, if any" task is run and the _kdump_authorized_keys.content variable is defined. (In reply to Brian Smith from comment #3) > Note that if there is no authorized_keys file, the "Get the authorized_keys > contents, if any" task is skipped, and the _kdump_authorized_keys.content > variable isn't defined. > > If there is an authorized_keys file (even an empty one), the "Get the > authorized_keys contents, if any" task is run and the > _kdump_authorized_keys.content variable is defined. Right. I don't understand why this logic isn't working: https://github.com/linux-system-roles/kdump/blob/main/tasks/ssh.yml#L47 ``` __kdump_authorized_keys_lines: "{{ (__kdump_authorized_keys.content | b64decode).split('\n') | reject('match', '^$') | list if __kdump_authorized_keys is defined else [] }}" ``` since `__kdump_authorized_keys` is not defined, it should set `__kdump_authorized_keys_lines` to `[]` and not even evaluate the clause with `__kdump_authorized_keys.content` - looks like some sort of strange Jinja or Ansible evaluation issue @briasmit any chance you could try the fix in https://github.com/linux-system-roles/kdump/pull/161 ? @rmeggins this is now working if the authorized_key file doesn't exist, but still fails if the .ssh directory doesn't exist. Use case for this: My environment has an "ansible" service account setup for running playbooks. I'd like to setup kdump to send over SSH, but I don't want to use the "ansible" user account for this. So I created a new "kdump" user account on the host that will receive the kdumps. By default, when creating a new account, it doesn't have a ".ssh" directory created automatically, so it would be nice if the role checked this before trying to write the authorized_key file to the directory. Thanks for your help with this! (In reply to Brian Smith from comment #7) > @rmeggins this is now working if the authorized_key file doesn't > exist, but still fails if the .ssh directory doesn't exist. > > Use case for this: My environment has an "ansible" service account setup > for running playbooks. I'd like to setup kdump to send over SSH, but I > don't want to use the "ansible" user account for this. So I created a new > "kdump" user account on the host that will receive the kdumps. By default, > when creating a new account, it doesn't have a ".ssh" directory created > automatically, so it would be nice if the role checked this before trying to > write the authorized_key file to the directory. https://issues.redhat.com/browse/RHEL-1397 and https://issues.redhat.com/browse/RHEL-1398 > > Thanks for your help with this! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (rhel-system-roles bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2023:6390 |
Description of problem: When using kdump system role to configure a SSH kdump configuration, the role will fail if the user defined in the kdump_ssh_user variable doesn't already have both a .ssh directory in the home directory, and at least an empty .ssh/authorized_keys file. Version-Release number of selected component (if applicable): rhel-system-roles-1.21.1-1.el9_2.noarch How reproducible: Every time Steps to Reproduce: 1. From my control node (rhel9-controlnode.example.com) define this inventory and run the kdump system role: all: hosts: rhel9-server1.example.com: vars: kdump_target: type: ssh location: kdump.com kdump_path: "/home/kdump/crash" kdump_sshkey: "/root/kdump_ssh/id_rsa" kdump_ssh_user: kdump kdump_ssh_server: rhel9-controlnode.example.com Actual results: If the /home/kdump/.ssh directory and/or /home/kdump/.ssh/authorized_keys file don't already exist on rhel9-controlnode.example.com, the role will fail: TASK [redhat.rhel_system_roles.kdump : Write new authorized_keys if needed] ********************************************************************************** fatal: [rhel9-server1.example.com -> {{ kdump_ssh_server }}]: FAILED! => {"msg": "The conditional check '__kdump_authorized_keys_lines != __kdump_authorized_keys_lines_new' failed. The error was: error while evaluating conditional (__kdump_authorized_keys_lines != __kdump_authorized_keys_lines_new): {{ (__kdump_authorized_keys.content | b64decode).split('\n') | reject('match', '^$') | list if __kdump_authorized_keys is defined else [] }}: 'dict object' has no attribute 'content'. 'dict object' has no attribute 'content'. {{ (__kdump_authorized_keys.content | b64decode).split('\n') | reject('match', '^$') | list if __kdump_authorized_keys is defined else [] }}: 'dict object' has no attribute 'content'. 'dict object' has no attribute 'content'\n\nThe error appears to be in '/usr/share/ansible/collections/ansible_collections/redhat/rhel_system_roles/roles/kdump/tasks/ssh.yml': line 42, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Write new authorized_keys if needed\n ^ here\n"} If you create the .ssh directory, and an empty .ssh/authorized_keys file, this task doesn't fail. Expected results: The role attempts to configure the authorized_keys file if it isn't configured already, so it should work even if the .ssh directory and/or .ssh/authorized_keys file don't exist.