#8675 drop ansible_become* statements from inventory/group_vars/ec2
Closed: Fixed 4 years ago by praiskup. Opened 4 years ago by praiskup.

edit: I debugged the hard way in the end, since nobody was around.... Ignore the rest of this description.

Hey, I need to debug:

sudo rbac-playbook -l copr-be-dev.aws.fedoraproject.org groups/copr-backend.yml

But I can not run the playbook with -vvv.

The output I see:

TASK [Create db] ****************************************************************************************************************************************************************************************************************************
Saturday 22 February 2020  09:02:39 +0000 (0:00:00.051)       0:00:00.051 ***** 
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: psycopg2.OperationalError: FATAL:  Peer authentication failed for user "postgres"
fatal: [copr-be-dev.aws.fedoraproject.org]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python3"}, "changed": false, "msg": "unable to connect to database: FATAL:  Peer authentication failed for user \"postgres\"\n"}

This is not reproducible when I run the same task from my box, or from temporarily
started centos 7 box.


This is because our boxes were moved to ec2 group overnight, our way of working with become stopped working. That's because group var file has:

ansible_become: true
ansible_become_user: root
ansible_become_method: sudo

This is IMO wrong thing to do. It basically says that every single box in ec2 doesn't
have root ssh allowed. Proposals?

We were moved to ec2 because nagios, a66b967781d2169f7b14748c69236c86e6f79df9

Turns except for one, all the boxes in ec2 group are copr boxes:
https://infrastructure.fedoraproject.org/cgit/ansible.git/commit/?id=5adf0ddfdc3d83f248a367e6f95fcb8b27f8826a

Which means that we should indeed drop ansible_become* config options from
ec2 group var file.

Sorry for the breakage. ;(

I think that stuff was leftover from our setting up proxy30 in aws. It can be removed.

I was working on getting some monitoring working on the ec2 instances (via ssh, since they all allow that).

Thanks for taking a look then!

I've put copr aws boxes back to ec2 group, and disabled ansible_become* hacks 2131404eef8573229c45d68cb5a4bec7e5961248

Metadata Update from @praiskup:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

4 years ago

Commit 1850ec75 relates to this ticket

Commit 94a2ed07 relates to this ticket

Commit 70733f58 relates to this ticket

Commit 55c087bd relates to this ticket

Commit d2b44af0 relates to this ticket

Commit d52658a5 relates to this ticket

Commit 30633a0f relates to this ticket

Commit 59d7020c relates to this ticket

Commit e0474a98 relates to this ticket

Commit acc2a543 relates to this ticket

Login to comment on this ticket.

Metadata