Ansible synchronize prompts passphrase even if already entered at the beginning

Question

The synchronize module of Ansible (v1.6.5) prompts for the passphrase (Enter passphrase for key) even though I already entered it at the beginning of running th

Answer 1

I tried using the copy module but it takes way too much time. So to make the synchronize module works, I will do the following. It is not perfect but at least it works.

1. change the ownership and permissions of the destination remote folder to the user I am using

2. use synchronize without sudo

3. set back the ownership and permissions of the destination remote to what I wanted before

Answer 2

The synchronize command (up to at least Ansible 1.6.6) seems to ignore the normal SSH control socket opened by Ansible. Your task could expand to the following:

{
    "cmd": "rsync --delay-updates -FF --compress --archive
        --rsh 'ssh  -o StrictHostKeyChecking=no'
        --out-format='<<CHANGED>>%i %n%L'
        /home/me/src/ user@host:/dest/",
    "failed": true,
    "rc": 23
}

To get these details, run your playbook with the -v option. As a workaround for this, you can start ssh-agent and add cache your SSH key with ssh-add. Refer to their manual pages for details.

Extra caveats with the synchronize module:

• When run with sudo: yes, ansible will run with --rsh 'sudo ssh' which will break if the remote sudo configuration requires a password and/ or TTY. Solution: set sudo: no in your task definition.
• The user that logs into the remote machine is your SSH user (ansible_ssh_user), not the sudo user. I have not found a way to override this user (besides an untested method that overrides the user with -o User option via one of the other options (dest_port="22 -o User=your_user"?) in combination with set_remote_user=yes).

This is taken from my tasks file:

- name: sync app files
  sudo: no
  synchronize: src={{app_srcdir}}/ dest={{appdir}}/
               recursive=yes
               rsync_opts=--exclude=.hg
# and of course Ubuntu 12.04 does not support --usermap..
#,--chown={{deployuser}}:www-data
# the above goes bad because ansible_ssh_user=user has no privileges
#  local_action: command rsync -av --chown=:www-data
#                 {{app_srcdir}}
#                 {{deployuser}}@{{inventory_hostname}}:{{appdir}}/
#  when: app_srcdir is defined
# The above still goes bad because {{inventory_hostname}} is not ssh host...

Answer 3

The best way to approach this - is to install your key to ssh authorized_keys for root user onto remote server.

Answer 4

I think by default synchronize is explicitly setting a username on the rsync command - you can prevent this and allow rsync to work from your ssh config file.

http://docs.ansible.com/synchronize_module.html

set_remote_user put user@ for the remote paths. If you have a custom ssh config to define the remote user for a host that does not match the inventory user, you should set this parameter to "no".

I have a remote user configured in my ssh config and needed to add set_remote_user=no to get synchronize to work, otherwise it tried to use the wrong username and neither ssh key nor password would work.

Answer 5

Disabling tty_tickets in /etc/sudoers on the remote machine fixes this problem (at the cost of slightly reduced security). E.g.,

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset,!tty_tickets
# ...