{"id":817,"sha1":"b1a1a54bb88a664ab7918000aad504660b0ad336","playbook":{"id":4,"items":{"plays":32,"tasks":1505,"results":1497,"hosts":12,"files":487,"records":0},"arguments":{"version":null,"verbosity":0,"private_key_file":null,"remote_user":null,"connection":"openstack.osa.ssh","timeout":null,"ssh_common_args":null,"sftp_extra_args":null,"scp_extra_args":null,"ssh_extra_args":null,"ask_pass":false,"connection_password_file":null,"force_handlers":true,"flush_cache":false,"become":false,"become_method":"sudo","become_user":null,"become_ask_pass":false,"become_password_file":null,"tags":["all"],"skip_tags":[],"check":false,"diff":false,"inventory":["/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/dynamic_inventory.py","/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/inventory.ini","/etc/openstack_deploy/inventory.ini"],"listhosts":false,"subset":null,"extra_vars":"Not saved by ARA as configured by 'ignored_arguments'","vault_ids":[],"ask_vault_pass":false,"vault_password_files":[],"forks":4,"module_path":null,"syntax":false,"listtasks":false,"listtags":false,"step":false,"start_at_task":null,"args":["setup-openstack.yml"]},"labels":[{"id":1,"name":"check:False"},{"id":2,"name":"tags:all"}],"started":"2025-12-08T13:57:07.871967Z","ended":"2025-12-08T14:21:54.049657Z","duration":"00:24:46.177690","name":null,"ansible_version":"2.18.6","client_version":"1.7.4","python_version":"3.12.11","server_version":"1.7.4","status":"failed","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-openstack.yml","controller":"aio1.openstack.local","user":"root"},"content":"---\n# Copyright 2022, BBC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n#     http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n- name: Ensure trusted CA directory is present\n  ansible.builtin.file:\n    path: \"/etc/ssh/trusted_ca.d\"\n    state: directory\n    mode: \"0700\"\n\n- name: Slurp up SSH CA certificates from keypair setup host ({{ ssh_keypairs_setup_host }})\n  delegate_to: \"{{ ssh_keypairs_setup_host }}\"\n  ansible.builtin.slurp:\n    src: \"{{ item.src | default(ssh_keypairs_dir ~ '/' ~ item.name ~ '.pub') }}\"\n  register: _ssh_ca_slurp\n  when:\n    - (item.condition is defined and item.condition | bool) or (item.condition is not defined)\n  loop: \"{{ ssh_keypairs_install_ca }}\"\n  ignore_errors: \"{{ ansible_check_mode }}\"\n\n- name: Create sshd trusted certificate config files\n  ansible.builtin.template:\n    src: \"ssh_ca.j2\"\n    dest: \"/etc/ssh/trusted_ca.d/{{ item.item.name }}\"\n    mode: \"0644\"\n  with_items: \"{{ _ssh_ca_slurp.results }}\"\n  ignore_errors: \"{{ ansible_check_mode }}\"\n  when:\n    - item.item.state is not defined or item.item.state != 'absent'\n  notify:\n    - Regenerate trusted_ca file\n\n- name: Remove sshd trusted authorities for absent CA\n  ansible.builtin.file:\n    path: \"/etc/sshd/trusted_ca.d/{{ item.item.name }}\"\n    state: absent\n  with_items: \"{{ _ssh_ca_slurp.results }}\"\n  ignore_errors: \"{{ ansible_check_mode }}\"\n  when:\n    - item.item.state is defined\n    - item.item.state == 'absent'\n  notify:\n    - Regenerate trusted_ca file\n\n- name: Write sshd trusted authorities config fragement\n  ansible.builtin.template:\n    src: ssh_ca_config.j2\n    dest: \"/etc/ssh/sshd_config.d/{{ ssh_keypairs_trusted_ca_config_file }}\"\n    mode: \"0644\"\n  notify:\n    - Reload sshd\n\n- name: Ensure authorized principals directory is present\n  ansible.builtin.file:\n    path: \"{{ ssh_keypairs_authorized_principals_file | dirname }}\"\n    state: directory\n    mode: \"0755\"\n\n- name: Create sshd certificate principals config files\n  ansible.builtin.template:\n    src: \"ssh_principal.j2\"\n    dest: \"{{ (ssh_keypairs_authorized_principals_file | dirname) ~ '/' ~ item.user ~ '_principals' }}\"\n    mode: \"0644\"\n  with_items: \"{{ ssh_keypairs_principals }}\"\n  when:\n    - item.state is not defined or item.state != 'absent'\n    - (item.condition is defined and item.condition | bool) or (item.condition is not defined)\n  notify:\n    - Reload sshd\n\n- name: Remove sshd certificate principals which are absent\n  ansible.builtin.file:\n    path: \"{{ (ssh_keypairs_authorized_principals_file | dirname) ~ '/' ~ item.user ~ '_principals' }}\"\n    state: absent\n  with_items: \"{{ ssh_keypairs_principals }}\"\n  when:\n    - item.item.state is defined\n    - item.item.state == 'absent'\n    - (item.condition is defined and item.condition | bool) or (item.condition is not defined)\n","created":"2025-12-08T13:57:43.629649Z","updated":"2025-12-08T13:57:43.629662Z","path":"/etc/ansible/ansible_collections/openstack/osa/roles/ssh_keypairs/tasks/standalone/install_ssh_ca.yml"}