gotchas

There are a couple of gotchas with ansible that got me, which require configuration changes to overcome. Most people will probably see some of these as obvious, but, as a bear with very little brain, I got got.

image: light show

I managed most of my gotchas in ansible.cfg file by changing a few defaults, more than the obvious such as specifying the location of the inventory.

The first gotcha is actually pretty obvious. Ansible defaults to using sudo to give itself root powers on a target machine. OpenBSD uses doas instead. If you are only targeting OpenBSD machines, then you can manage this in ansible.cfg. Under “[privilege_escalation]”, set:
become_method=doas

There is a nasty ssh gotcha. If a target machine takes longer than a predetermined time to return some output, ansible can completely hang. Everything stops, not just processing on the offending machine. This is not useful.

What actually happens, it seems, is that ssh can time out and automatically disconnect. There appears to be a number of ways of dealing with this. The one that commonly works is to amend the “[ssh_connection]” section to add “-o ServerAliveInterval=30” to “ssh_args”. For example:
ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -o ServerAliveInterval=30

There are a number of other possible causes of an ssh problem. Sometimes, apparently, it’s better to disable “ControlMaster” in “ssh_args”:
ssh_args = -C -o ControlMaster=no

There are other possible causes of a hang. If the ssh keepalive doesn’t fix your problem when running a playbook, then I suggest you have a look at the async and poll common task keywords.

I’ve also set up an ansible vault to hold my passwords. Ansible needs the keys to your network’s castle to work, which means that, if some naughty person comes along and tries to break into your network, all they really need is to break into your ansible configuration to be able to grab everything else — hence ansible vault to keep those passwords safely locked up.

The vault is fairly easy to use, but there is one nasty gotcha which you should normally not encounter. There are certain circumstances when some python dependencies have the wrong version. I find vault is particularly prone to not working properly when this happens. It’ll encrypt and safely store your passwords, that’s fine, but it won’t deliver them to scripts when required. I’ve only seen this featurette under Centos 7.