infra/host-provisioner/pipeline/head This commit looks goodDetails
Since the host-provisioner connects to the target machine as root, it
only uses "become" to drop privileges. Unprivileged users often have a
non-login shell set (e.g. `/bin/false` or `/sbin/nologin`), which
prevents `su` from working, as it uses the target user's shell by
default. Fortunately, we can override the shell with the `-s` argument,
which we can tell Ansible to add via the `ansible_become_flags`
variable.
infra/host-provisioner/pipeline/head This commit looks goodDetails
It seems like setting the `ansible_become_method` variable as a group
variable overrides the `--become-method` CLI argument. If we set the
variable on the command line, that _should_ take precedence.
infra/host-provisioner/pipeline/head This commit looks goodDetails
Since the host-provisioner connects to remote machines as _root_, it
normally doesn't use Ansible's "become" system at all. Some tasks,
though, need to to use it to switch to a specific unprivileged user.
For those, `doas` is not appropriate, since it doesn't permit root by
default. Rather than adjust this configuration, let's switch to `su`
which requires no configuration, and does allow root.
The _Host Provisioner_ is a tool that runs an Anisble playbook to
initially provision a new machine. It is intended to run as a
Kubernetes Job, created by a webhook that is triggered when the machine
boots up for the first time. The tool retrieves information about the
new machine (its hostname and SSH host keys) from a message queue,
published by the same webhook that launched the job. It then clones
the configuration policy (optionally from the branch provided in the
host info message) and applies the `site.yml` playbook.
Dustin