Changeset - 9f48ea488876
Parent rev.
Child rev.
[Not reviewed]
0 1 0
Branko Majic (branko) - 4 years ago 2021-01-18 21:46:14
branko@majic.rs
MAR-151: Fix authentication issues for backup client in usage instructions:

- Add warning about how Ansible file lookup can mess with trailing
newlines.
- Disable stripping of newlines when reading the backup client SSH
private key.
1 file changed with 10 insertions and 1 deletions:
docs/usage.rst
10
1
0 comments (0 inline, 0 general)
docs/usage.rst
Show inline comments
 
@@ -2264,23 +2264,32 @@ So, back to the business:
 
        - server: bak.example.com
 
          public_key: "{{ lookup('file', inventory_dir + '/ssh/bak.example.com.pub') }}"
 
          ip: 127.0.0.1
 

			




	
	
	
		
 
2. And now to configure backup clients for all servers:

			




	
	
	
		
 

			




	
	
	
		
 
   .. warning::

			




	
	
	
		
 
      By default Ansible's file lookup plugin will strip newlines and

			




	
	
	
		
 
      spaces from the end of the file. This is a problem when

			




	
	
	
		
 
      deploying the RSA ssh keys, since if there is no newline after

			




	
	
	
		
 
      the ``-----END OPENSSH PRIVATE KEY-----`` delimeter, ssh client

			




	
	
	
		
 
      will report error about the format of the key file being

			




	
	
	
		
 
      invalid. Therefore the example below explicitly disables

			




	
	
	
		
 
      stripping newline from the end of the file.

			




	
	
	
		
 

			




	
	
	
		
 
   :file:`~/mysite/group_vars/all.yml`

			




	
	
	
		
 
   ::

			




	
	
	
		
 

			




	
	
	
		
 
      enable_backup: yes

			




	
	
	
		
 
      backup_encryption_key: "{{ lookup('pipe', 'gpg --homedir ~/mysite/gnupg/ --armour --export-secret-keys ' + ansible_fqdn ) }}"

			




	
	
	
		
 
      backup_server: bak.example.com

			




	
	
	
		
 
      backup_server_host_ssh_public_keys:

			




	
	
	
		
 
        - "{{ lookup('file', inventory_dir + '/ssh/bak_rsa_key.pub') }}"

			




	
	
	
		
 
        - "{{ lookup('file', inventory_dir + '/ssh/bak_ed25519_key.pub') }}"

			




	
	
	
		
 
        - "{{ lookup('file', inventory_dir + '/ssh/bak_ecdsa_key.pub') }}"

			




	
	
	
		
 
      backup_ssh_key: "{{ lookup('file', inventory_dir + '/ssh/' + ansible_fqdn) }}"

			




	
	
	
		
 
      backup_ssh_key: "{{ lookup('file', inventory_dir + '/ssh/' + ansible_fqdn, rstrip=False) }}"

			




	
	
	
		
 

			




	
	
	
		
 
3. So, looking at the configuration up there, there is a couple of file lookups

			




	
	
	
		
 
   for getting the variable values, as well as one pipe lookup for fetching the

			




	
	
	
		
 
   encryption keys. For start, let's create the SSH private keys used for client

			




	
	
	
		
 
   log-ins to backup server::

			




	
	
	
		
 

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2024 by various authors & licensed under GPLv3.