I am getting some major Twilight Zone vibes from time to time using the v9 lab. Two scenarios I ran into today that confused me out:
1. I ran a playbook to create some users on servera without become: true in playbook or ansible.cfg and it executed just fine. Perhaps this has something to do with how ansible-navigator works, does it perhaps execute plays as root when no remote user is defined? It has root permissions to do that?
2. When as student user I ran a playbook on workstation to be executed on servera, it connected to servera without asking for user password. I check ls -a /home/student on servera, there is no .ssh/authorized_keyz. Then I try ssh-copy-id student@servera, it says the key is already on the host. How is this ssh access configured?? Where is the public key kept?
When no values are mentioned in ansible.cfg it will take the default values. For example it will take sudo as default become method unless specified explicitly. There is no file by the name .ssh/authorized_keyz it should be .ssh/authorized_keys.
Yes, I meant .ssh/authorized_keys, that was just a spelling error. Key for student is not there, yet student still connects without a password. I'll have to check ssh server configuration on servera, maybe the answer is there.
What conserns me more is that I was able to create users on servera without 'become' present in either playbook, ansible.cfg or ansible command. My understanding is that this should not be possible. Unless ansible-navigator ran the playbook as root remotely, there was a become_password_file already set up, it wouldn't have to ask me for the password.
Ok, so thinking that there could maybe some remains from the earlier excercises doing this, I've deleted the lab and created the fresh one. And it's still the same.
I am able to login to servera from workstation as student user without providing a password, yet there is no .ssh/authorised_keys in /home/student on servera. Checking /etc/sshd_config on servera, I did find that AuthorizedKeyFile also has another value /etc/.rht_authorized_keys, but checking there I found two keys, named InstructorKey and LabGradingKey, which makes me believe they are used for Ansible tasks for running the lab.
And again, I can run tasks that require root privileges without become. A small peace of code like this:
---
- hosts: servera
tasks:
- user:
name: bob
Executed just fine, there is now bob on servera.
This was actually answered before.
So, yes indeed, ansible-navigator indeed connects to the hosts as root, that one has been explained.
I still couldn't figure out ssh.
The good news is that you won't have to worry about these matters on the exam, they don't play any role there.
Red Hat
Learning Community
A collaborative learning environment, enabling open source skill development.