Fail if root login will be disabled but admin_user cannot connect

I am running this command:
ansible-playbook server.yml -e env=production

Attempting to provision the remote server fails on the following thing:

Fail if root login will be disabled but admin_user cannot connect

Here is a photo of the error log leading up to this:

And here is my users.yml

Documentation: https://roots.io/trellis/docs/ssh-keys/

admin_user: good_admin

# Also define 'vault_users' (`group_vars/staging/vault.yml`, `group_vars/production/vault.yml`)
users:
  - name: "{{ web_user }}"
    groups:
      - "{{ web_group }}"
    keys:
      - "{{ lookup('file', '../../example_rsa.pub') }}"
      # - https://github.com/username.keys
  - name: "{{ admin_user }}"
    groups:
      - sudo
    keys:
      - "{{ lookup('file', '../../example_rsa.pub') }}"
      # - https://github.com/username.keys

web_user: web
web_group: www-data
web_sudoers:
  - "/usr/sbin/service php7.1-fpm *"

I’ve tried changing the admin_user name to root, to admin_user to good_admin

First time trying to deploy. Using a freshly deployed ubuntu droplet on DigitalOcean.

Also security.yml has the following line:
sshd_permit_root_login: true

Shouldn’t that stop this deployment check from even happening?

Why is it convinced that disabling root login will break it?

Have you provisioned the instance before deploying a site to it?

I think it was trying to provision that produced the error.

ansible-playbook server.yml -e env=production

was the command I ran.

Can you manually connect to server as admin user?
Is ssh client (~/.ssh/config) configured to use the private key equivalent for example_rsa.pub?

I can connect to server manually as admin user using example_rsa

on the remote server /home/good_admin/.ssh/config doesn’t exist, is this that the problem, if so, what should it be?

@Jack_Robson The error message is not intuitive, sadly, and requires some familiarity with Ansible to interpret.

Although the failed task is named “Fail if root login will be disabled but admin_user cannot connect,” the error says “The conditional check 'admin_user_status | skipped and admin_user_status.rc != 0' failed.” The 'dict object' has no attribute 'rc' part suggests a problem with this conditional, which is applied to a task that imports the Fail if root login will be disabled but admin_user cannot connect task. It’s like the import_tasks task distributes its conditional to each of the imported tasks. When the first imported task runs, that is the first time the conditional is interpreted, and thus the first time the conditional could create an error.

For a quick and dirty workaround, you could comment out the import_tasks task.

For an actual fix, you could test whether you can reproduce this problem on a fresh clone of Trellis, and if so, file a bug report.

I suspect this is more of an unusual case of Trellis updates having been applied incompletely. I suspect you originally cloned Trellis around August 15, 2017 (34186ad), as suggested by the top of your CHANGELOG.md reading Add ansible_local support for non-Windows (as in your error output System info).

Note that if you compare the current changelog, support for Ansible 2.4 wouldn’t be added for another month (September 24, 2017). However, your conditional appears to nonetheless have the form applied in the Ansible 2.4 update.

In addition, your error output System info indicates you are running Ansible 2.5.3 but your conditional does not yet have the form applied for Ansible 2.5.3 compat.

You may choose to update your Trellis to the latest, for full Ansible 2.5.3 compat, and to avoid weird errors, or at least avoid the many deprecation warnings.

Alternatively, you may choose to run Ansible 2.3.2.0 when you run this particular version of Trellis. Hmm, but maybe you need Ansible 2.4. I don’t know, because I can’t tell from the error output what version of Trellis your are running.

Again, for a quick and dirty workaround, you could comment out the import_tasks task. If you want more feedback, you could add the following right before that linked task then share the debug task output on the forum here.

- debug:
    msg: "{{ admin_user_status | to_nice_yaml }}"
1 Like

Epic post.

Commenting out the task worked perfectly.

Will look into debugging a fresh install when I have time.

Much appreciated for your help. I’d have all but given up.

1 Like