Hi,
I am trying to provision a staging server at Google Cloud, after having successfully set up a dev server with Trellis (Vagrant and Virtualbox). My instance is Ubuntu 16.04 (Xenial). My local environment is Debian 9 with Ansible 2.4.0.0.
I can ssh into my instance as mclarke:
ssh 35.197.167.246
It’s not possible to ssh in as root or admin, so I have set up my users.yml as follows:
admin_user: mclarke
# Also define 'vault_users' (`group_vars/staging/vault.yml`, `group_vars/production/vault.yml`)
users:
- name: "mclarke"
groups:
- sudo
keys:
- "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
- name: "{{ web_user }}"
groups:
- "{{ web_group }}"
keys:
- "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
# - https://github.com/username.keys
- name: "{{ admin_user }}"
groups:
- sudo
keys:
- "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
# - https://github.com/username.keys
web_user: web
web_group: www-data
web_sudoers:
- "/usr/sbin/service php7.1-fpm *"
The (abbreviated) output I am getting from running:
ansible-playbook server.yml -e env=staging
(full output included at the end of this message) is:
TASK [users : Ensure sudo group has sudo privileges] **********************************************************************************************************************************
changed: [35.197.167.246]
TASK [users : Fail if root login will be disabled but admin_user will not be a sudoer] ************************************************************************************************
System info:
Ansible 2.4.0.0; Linux
Trellis at "Normalize `apt` tasks"
---------------------------------------------------
The conditional check 'TrueTrue' failed. The error was: error while
evaluating conditional (TrueTrue): 'TrueTrue' is undefined
fatal: [35.197.167.246]: FAILED! => {"failed": true}
RUNNING HANDLER [fail2ban : restart fail2ban] *****************************************************************************************************************************************
changed: [35.197.167.246]
RUNNING HANDLER [ferm : restart ferm] *************************************************************************************************************************************************
changed: [35.197.167.246]
RUNNING HANDLER [ntp : restart ntp] ***************************************************************************************************************************************************
changed: [35.197.167.246]
to retry, use: --limit @/home/mclarke/gitlab/australiascience.tv/trellis/server.retry
PLAY RECAP ****************************************************************************************************************************************************************************
35.197.167.246 : ok=38 changed=18 unreachable=0 failed=1
localhost : ok=0 changed=0 unreachable=0 failed=0
$
Other things I have modified from Trellis’s master branch and (I hope!) in accordance with the instructions are:
- group_vars/all/users.yml as shown above
- group_vars/staging/wordpress_sites.yml
- group_vars/staging/vault.yml (new passwords and salts)
- group_vars/all/vault.yml
- .vault_pass (added)
- ansible.cfg updated to include .vault_pass
- hosts/staging updated with the new IP address
- group_vars/all/security.yml changed sshd_permit_root_login to false
I believe that in ansible.cfg ssh agent forwarding is already enabled, so I did not modify ssh_args in there.
I have been trying to fix this for over a day, now, and am out of ideas. I have probably done or not done something stupid. Hope you can help. Anything you can suggest will be much appreciated.
Here is the full output from Ansible:
~/gitlab/australiascience.tv/trellis$ ansible-playbook server.yml -e env=staging
[DEPRECATION WARNING]: The use of 'include' for tasks has been deprecated. Use 'import_tasks' for static inclusions or 'include_tasks' for dynamic inclusions. This feature will be
removed in a future release. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: include is kept for backwards compatibility but usage is discouraged. The module documentation details page may explain more about this rationale.. This
feature will be removed in a future release. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
PLAY [Ensure necessary variables are defined] *****************************************************************************************************************************************
TASK [Ensure environment is defined] **************************************************************************************************************************************************
skipping: [localhost]
PLAY [Test Connection and Determine Remote User] **************************************************************************************************************************************
TASK [connection : Require manual definition of remote-user] **************************************************************************************************************************
skipping: [35.197.167.246]
TASK [connection : Specify preferred HostKeyAlgorithms for unknown hosts] *************************************************************************************************************
ok: [35.197.167.246]
TASK [connection : Check whether Ansible can connect as root] *************************************************************************************************************************
The authenticity of host '35.197.167.246 (35.197.167.246)' can't be established.
ED25519 key fingerprint is SHA256:94Eibw6IyhrHJuMwnHfQPZoZiW1AizYu5g5SzJlHw2I.
Are you sure you want to continue connecting (yes/no)? yes
ok: [35.197.167.246 -> localhost]
TASK [connection : Warn about change in host keys] ************************************************************************************************************************************
skipping: [35.197.167.246]
TASK [connection : Set remote user for each host] *************************************************************************************************************************************
ok: [35.197.167.246]
TASK [connection : Announce which user was selected] **********************************************************************************************************************************
Note: Ansible will attempt connections as user = mclarke
Note: The host `35.197.167.246` was not detected in known_hosts
so Trellis prompted the host to offer a key type that will work with
the stronger key types Trellis configures on the server. This avoids future
connection failures due to changed host keys. Trellis used this SSH option:
-o HostKeyAlgorithms=ssh-ed25519-cert-v01@openssh.com,ssh-rsa-
cert-v01@openssh.com,ssh-ed25519,ssh-rsa
To prevent Trellis from ever using this SSH option, add this to group_vars:
dynamic_host_key_algorithms: false
ok: [35.197.167.246]
TASK [connection : Load become password] **********************************************************************************************************************************************
ok: [35.197.167.246]
PLAY [Install prerequisites] **********************************************************************************************************************************************************
TASK [Install Python 2.x] *************************************************************************************************************************************************************
ok: [35.197.167.246]
PLAY [WordPress Server - Install LEMP Stack with PHP 7.1 and MariaDB MySQL] ***********************************************************************************************************
TASK [Gathering Facts] ****************************************************************************************************************************************************************
ok: [35.197.167.246]
TASK [common : Validate wordpress_sites] **********************************************************************************************************************************************
skipping: [35.197.167.246]
TASK [common : Validate format of site_hosts] *****************************************************************************************************************************************
skipping: [35.197.167.246] => (item=australiascience.tv)
TASK [common : Verify dict format for apt package component variables] ****************************************************************************************************************
skipping: [35.197.167.246]
TASK [common : Verify dict format for apt package combined variables] *****************************************************************************************************************
skipping: [35.197.167.246]
TASK [common : Validate Ubuntu version] ***********************************************************************************************************************************************
skipping: [35.197.167.246]
TASK [common : Check whether passlib is needed] ***************************************************************************************************************************************
skipping: [35.197.167.246]
TASK [common : Retrieve local SSH client's settings per host] *************************************************************************************************************************
ok: [35.197.167.246]
TASK [common : Validate compatible settings between SSH client and server] ************************************************************************************************************
ok: [35.197.167.246] => {
"changed": false,
"failed": false,
"msg": "All assertions passed"
}
TASK [common : Checking essentials] ***************************************************************************************************************************************************
changed: [35.197.167.246] => (item=python-software-properties)
changed: [35.197.167.246] => (item=build-essential)
changed: [35.197.167.246] => (item=python-mysqldb)
changed: [35.197.167.246] => (item=libnss-myhostname)
ok: [35.197.167.246] => (item=dbus)
changed: [35.197.167.246] => (item=git-core)
ok: [35.197.167.246] => (item=python-pycurl)
ok: [35.197.167.246] => (item=curl)
TASK [common : Validate timezone variable] ********************************************************************************************************************************************
ok: [35.197.167.246]
TASK [common : Explain timezone error] ************************************************************************************************************************************************
skipping: [35.197.167.246]
TASK [common : Add myhostname to nsswitch.conf to ensure resolvable hostname] *********************************************************************************************************
ok: [35.197.167.246]
TASK [common : Generate SSH key for vagrant user] *************************************************************************************************************************************
skipping: [35.197.167.246]
TASK [common : Retrieve SSH client IP] ************************************************************************************************************************************************
ok: [35.197.167.246]
TASK [swapfile : Write swapfile] ******************************************************************************************************************************************************
changed: [35.197.167.246]
TASK [swapfile : Set swapfile permissions] ********************************************************************************************************************************************
changed: [35.197.167.246]
TASK [swapfile : Create swapfile] *****************************************************************************************************************************************************
changed: [35.197.167.246]
TASK [swapfile : Enable swapfile] *****************************************************************************************************************************************************
changed: [35.197.167.246]
TASK [swapfile : Add swapfile to /etc/fstab] ******************************************************************************************************************************************
changed: [35.197.167.246]
TASK [swapfile : Configure vm.swappiness] *********************************************************************************************************************************************
skipping: [35.197.167.246]
TASK [swapfile : Configure vm.vfs_cache_pressure] *************************************************************************************************************************************
skipping: [35.197.167.246]
TASK [fail2ban : ensure fail2ban is installed] ****************************************************************************************************************************************
changed: [35.197.167.246]
TASK [fail2ban : ensure fail2ban is configured] ***************************************************************************************************************************************
changed: [35.197.167.246] => (item=jail.local)
changed: [35.197.167.246] => (item=fail2ban.local)
TASK [fail2ban : ensure fail2ban starts on a fresh reboot] ****************************************************************************************************************************
ok: [35.197.167.246]
TASK [ferm : ensure ferm status is in debconf] ****************************************************************************************************************************************
changed: [35.197.167.246]
TASK [ferm : ensure ferm is installed] ************************************************************************************************************************************************
changed: [35.197.167.246]
TASK [ferm : ensure configuration directories exist] **********************************************************************************************************************************
changed: [35.197.167.246] => (item=/etc/ferm/ferm.d)
changed: [35.197.167.246] => (item=/etc/ferm/filter-input.d)
TASK [ferm : ensure firewall is configured] *******************************************************************************************************************************************
changed: [35.197.167.246] => (item=etc/default/ferm)
changed: [35.197.167.246] => (item=etc/ferm/ferm.conf)
TASK [ferm : ensure iptables INPUT rules are removed] *********************************************************************************************************************************
skipping: [35.197.167.246] => (item={u'dport': [u'http', u'https'], u'type': u'dport_accept', u'filename': u'nginx_accept'})
skipping: [35.197.167.246] => (item={u'dport': [u'ssh'], u'type': u'dport_accept', u'saddr': [u'113.197.13.1']})
skipping: [35.197.167.246] => (item={u'dport': [u'ssh'], u'seconds': 300, u'hits': 20, u'type': u'dport_limit'})
TASK [ferm : ensure iptables INPUT rules are added] ***********************************************************************************************************************************
changed: [35.197.167.246] => (item={u'dport': [u'http', u'https'], u'type': u'dport_accept', u'filename': u'nginx_accept'})
changed: [35.197.167.246] => (item={u'dport': [u'ssh'], u'type': u'dport_accept', u'saddr': [u'113.197.13.1']})
changed: [35.197.167.246] => (item={u'dport': [u'ssh'], u'seconds': 300, u'hits': 20, u'type': u'dport_limit'})
TASK [ferm : ensure iptables rules are enabled] ***************************************************************************************************************************************
ok: [35.197.167.246]
TASK [ferm : ensure iptables rules are disabled] **************************************************************************************************************************************
skipping: [35.197.167.246]
TASK [ntp : Include OS-specific variables.] *******************************************************************************************************************************************
ok: [35.197.167.246]
TASK [ntp : Ensure NTP-related packages are installed.] *******************************************************************************************************************************
ok: [35.197.167.246]
TASK [ntp : Ensure tzdata package is installed (Linux).] ******************************************************************************************************************************
ok: [35.197.167.246]
TASK [ntp : Check if clock file exists.] **********************************************************************************************************************************************
skipping: [35.197.167.246]
TASK [ntp : Create clock file if it doesn't exist.] ***********************************************************************************************************************************
skipping: [35.197.167.246]
TASK [ntp : Set timezone] *************************************************************************************************************************************************************
ok: [35.197.167.246]
TASK [ntp : Ensure NTP is running and enabled as configured.] *************************************************************************************************************************
ok: [35.197.167.246]
TASK [ntp : Ensure NTP is stopped and disabled as configured.] ************************************************************************************************************************
skipping: [35.197.167.246]
TASK [ntp : Generate ntp.conf file] ***************************************************************************************************************************************************
changed: [35.197.167.246]
TASK [users : Ensure requested groups are present] ************************************************************************************************************************************
ok: [35.197.167.246] => (item=sudo)
ok: [35.197.167.246] => (item=www-data)
TASK [users : Ensure sudo group has sudo privileges] **********************************************************************************************************************************
changed: [35.197.167.246]
TASK [users : Fail if root login will be disabled but admin_user will not be a sudoer] ************************************************************************************************
System info:
Ansible 2.4.0.0; Linux
Trellis at "Normalize `apt` tasks"
---------------------------------------------------
The conditional check 'TrueTrue' failed. The error was: error while
evaluating conditional (TrueTrue): 'TrueTrue' is undefined
fatal: [35.197.167.246]: FAILED! => {"failed": true}
RUNNING HANDLER [fail2ban : restart fail2ban] *****************************************************************************************************************************************
changed: [35.197.167.246]
RUNNING HANDLER [ferm : restart ferm] *************************************************************************************************************************************************
changed: [35.197.167.246]
RUNNING HANDLER [ntp : restart ntp] ***************************************************************************************************************************************************
changed: [35.197.167.246]
to retry, use: --limit @/home/mclarke/gitlab/australiascience.tv/trellis/server.retry
PLAY RECAP ****************************************************************************************************************************************************************************
35.197.167.246 : ok=38 changed=18 unreachable=0 failed=1
localhost : ok=0 changed=0 unreachable=0 failed=0
~/gitlab/australiascience.tv/trellis$