Description of problem: When using kdump system role to configure a SSH kdump configuration, the role will fail if the user defined in the kdump_ssh_user variable doesn't already have both a .ssh directory in the home directory, and at least an empty .ssh/authorized_keys file. Version-Release number of selected component (if applicable): rhel-system-roles-1.21.1-1.el9_2.noarch How reproducible: Every time Steps to Reproduce: 1. From my control node (rhel9-controlnode.example.com) define this inventory and run the kdump system role: all: hosts: rhel9-server1.example.com: vars: kdump_target: type: ssh location: kdump.com kdump_path: "/home/kdump/crash" kdump_sshkey: "/root/kdump_ssh/id_rsa" kdump_ssh_user: kdump kdump_ssh_server: rhel9-controlnode.example.com Actual results: If the /home/kdump/.ssh directory and/or /home/kdump/.ssh/authorized_keys file don't already exist on rhel9-controlnode.example.com, the role will fail: TASK [redhat.rhel_system_roles.kdump : Write new authorized_keys if needed] ********************************************************************************** fatal: [rhel9-server1.example.com -> {{ kdump_ssh_server }}]: FAILED! => {"msg": "The conditional check '__kdump_authorized_keys_lines != __kdump_authorized_keys_lines_new' failed. The error was: error while evaluating conditional (__kdump_authorized_keys_lines != __kdump_authorized_keys_lines_new): {{ (__kdump_authorized_keys.content | b64decode).split('\n') | reject('match', '^$') | list if __kdump_authorized_keys is defined else [] }}: 'dict object' has no attribute 'content'. 'dict object' has no attribute 'content'. {{ (__kdump_authorized_keys.content | b64decode).split('\n') | reject('match', '^$') | list if __kdump_authorized_keys is defined else [] }}: 'dict object' has no attribute 'content'. 'dict object' has no attribute 'content'\n\nThe error appears to be in '/usr/share/ansible/collections/ansible_collections/redhat/rhel_system_roles/roles/kdump/tasks/ssh.yml': line 42, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Write new authorized_keys if needed\n ^ here\n"} If you create the .ssh directory, and an empty .ssh/authorized_keys file, this task doesn't fail. Expected results: The role attempts to configure the authorized_keys file if it isn't configured already, so it should work even if the .ssh directory and/or .ssh/authorized_keys file don't exist.
@briasmit can you attach the entire ansible log?
[ansible@rhel9-controlnode kdump]$ ansible-playbook -i inventory.yml -b system_roles.yml PLAY [Run kdump RHEL system role] **************************************************************************************************************************** TASK [Gathering Facts] *************************************************************************************************************************************** ok: [rhel9-server1.example.com] TASK [redhat.rhel_system_roles.kdump : Ensure ansible_facts used by role] ************************************************************************************ included: /usr/share/ansible/collections/ansible_collections/redhat/rhel_system_roles/roles/kdump/tasks/set_vars.yml for rhel9-server1.example.com TASK [redhat.rhel_system_roles.kdump : Ensure ansible_facts used by role] ************************************************************************************ ok: [rhel9-server1.example.com] TASK [redhat.rhel_system_roles.kdump : Install required packages] ******************************************************************************************** ok: [rhel9-server1.example.com] TASK [redhat.rhel_system_roles.kdump : Ensure that kdump is enabled] ***************************************************************************************** ok: [rhel9-server1.example.com] TASK [redhat.rhel_system_roles.kdump : Include SSH tasks] **************************************************************************************************** included: /usr/share/ansible/collections/ansible_collections/redhat/rhel_system_roles/roles/kdump/tasks/ssh.yml for rhel9-server1.example.com TASK [redhat.rhel_system_roles.kdump : Check whether key exists] ********************************************************************************************* ok: [rhel9-server1.example.com] TASK [redhat.rhel_system_roles.kdump : Create key] *********************************************************************************************************** changed: [rhel9-server1.example.com] TASK [redhat.rhel_system_roles.kdump : Fetch key] ************************************************************************************************************ ok: [rhel9-server1.example.com] TASK [redhat.rhel_system_roles.kdump : Get userinfo for kdump] *********************************************************************************************** ok: [rhel9-server1.example.com -> rhel9-controlnode.example.com] TASK [redhat.rhel_system_roles.kdump : Set authorized_keys file path] **************************************************************************************** ok: [rhel9-server1.example.com] TASK [redhat.rhel_system_roles.kdump : Get the authorized_keys file for the user] **************************************************************************** ok: [rhel9-server1.example.com -> rhel9-controlnode.example.com] TASK [redhat.rhel_system_roles.kdump : Get the authorized_keys contents, if any] ***************************************************************************** skipping: [rhel9-server1.example.com] TASK [redhat.rhel_system_roles.kdump : Write new authorized_keys if needed] ********************************************************************************** fatal: [rhel9-server1.example.com -> {{ kdump_ssh_server }}]: FAILED! => {"msg": "The conditional check '__kdump_authorized_keys_lines != __kdump_authorized_keys_lines_new' failed. The error was: error while evaluating conditional (__kdump_authorized_keys_lines != __kdump_authorized_keys_lines_new): {{ (__kdump_authorized_keys.content | b64decode).split('\n') | reject('match', '^$') | list if __kdump_authorized_keys is defined else [] }}: 'dict object' has no attribute 'content'. 'dict object' has no attribute 'content'. {{ (__kdump_authorized_keys.content | b64decode).split('\n') | reject('match', '^$') | list if __kdump_authorized_keys is defined else [] }}: 'dict object' has no attribute 'content'. 'dict object' has no attribute 'content'\n\nThe error appears to be in '/usr/share/ansible/collections/ansible_collections/redhat/rhel_system_roles/roles/kdump/tasks/ssh.yml': line 42, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Write new authorized_keys if needed\n ^ here\n"} PLAY RECAP *************************************************************************************************************************************************** rhel9-server1.example.com : ok=12 changed=1 unreachable=0 failed=1 skipped=1 rescued=0 ignored=0
Note that if there is no authorized_keys file, the "Get the authorized_keys contents, if any" task is skipped, and the _kdump_authorized_keys.content variable isn't defined. If there is an authorized_keys file (even an empty one), the "Get the authorized_keys contents, if any" task is run and the _kdump_authorized_keys.content variable is defined.
(In reply to Brian Smith from comment #3) > Note that if there is no authorized_keys file, the "Get the authorized_keys > contents, if any" task is skipped, and the _kdump_authorized_keys.content > variable isn't defined. > > If there is an authorized_keys file (even an empty one), the "Get the > authorized_keys contents, if any" task is run and the > _kdump_authorized_keys.content variable is defined. Right. I don't understand why this logic isn't working: https://github.com/linux-system-roles/kdump/blob/main/tasks/ssh.yml#L47 ``` __kdump_authorized_keys_lines: "{{ (__kdump_authorized_keys.content | b64decode).split('\n') | reject('match', '^$') | list if __kdump_authorized_keys is defined else [] }}" ``` since `__kdump_authorized_keys` is not defined, it should set `__kdump_authorized_keys_lines` to `[]` and not even evaluate the clause with `__kdump_authorized_keys.content` - looks like some sort of strange Jinja or Ansible evaluation issue
@briasmit any chance you could try the fix in https://github.com/linux-system-roles/kdump/pull/161 ?
@rmeggins this is now working if the authorized_key file doesn't exist, but still fails if the .ssh directory doesn't exist. Use case for this: My environment has an "ansible" service account setup for running playbooks. I'd like to setup kdump to send over SSH, but I don't want to use the "ansible" user account for this. So I created a new "kdump" user account on the host that will receive the kdumps. By default, when creating a new account, it doesn't have a ".ssh" directory created automatically, so it would be nice if the role checked this before trying to write the authorized_key file to the directory. Thanks for your help with this!
(In reply to Brian Smith from comment #7) > @rmeggins this is now working if the authorized_key file doesn't > exist, but still fails if the .ssh directory doesn't exist. > > Use case for this: My environment has an "ansible" service account setup > for running playbooks. I'd like to setup kdump to send over SSH, but I > don't want to use the "ansible" user account for this. So I created a new > "kdump" user account on the host that will receive the kdumps. By default, > when creating a new account, it doesn't have a ".ssh" directory created > automatically, so it would be nice if the role checked this before trying to > write the authorized_key file to the directory. https://issues.redhat.com/browse/RHEL-1397 and https://issues.redhat.com/browse/RHEL-1398 > > Thanks for your help with this!