fix(ansible): add become, gate pcsclite install, fix package names#38
Open
tod-uma wants to merge 1 commit into
Open
fix(ansible): add become, gate pcsclite install, fix package names#38tod-uma wants to merge 1 commit into
tod-uma wants to merge 1 commit into
Conversation
The role requires privilege escalation for system-level operations but did not declare become: true on any tasks or handlers, causing failures when Ansible connects as an unprivileged user. - Add become: true to all tasks that require root: package install, service user/group creation, directory creation, binary download, configuration deployment, and systemd unit management. - Add become_user: acme-proxy to the binary install tasks (slurp, get_url, copy) — the install dir is mode 0750 owned by the service user, so temp file creation fails when running as root. - Add become: true to both handlers, which do not inherit become from the notifying task. - Add acme_proxy_install_pcsc variable (default: true) to gate the libpcsclite install. The pre-built binary is dynamically linked against libpcsclite.so.1 despite the docs stating otherwise. - Correct pcsclite package names from build-time devel packages to runtime libraries: pcsc-lite-devel -> pcsc-lite (RedHat), libpcsclite-dev -> libpcsclite1 (Debian).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
become: The role runs system-level operations (package install, user/group
creation, directory creation, binary download, systemd management) but declared
no
become: trueon any task or handler, causing failures when Ansible connectsas an unprivileged user. Added
become: trueto all tasks that require root, andto both handlers (which do not inherit
becomefrom the notifying task).become_user: The binary install tasks (
slurp,get_url,copy) now usebecome_user: acme-proxy. The install directory is mode0750owned by theservice user, so temp file creation fails when running as root.
libpcsclite: Added
acme_proxy_install_pcsc(default:true) to gate thepackage install. Despite the docs stating libpcsclite is only required for source
builds, the pre-built binary is dynamically linked against
libpcsclite.so.1andwill not start without it (
error while loading shared libraries: libpcsclite.so.1).Also corrected the package names from build-time devel packages to the runtime
libraries:
pcsc-lite-devel→pcsc-lite(RedHat),libpcsclite-dev→libpcsclite1(Debian).Test plan
complete without privilege errors
acme-proxy.servicestarts cleanly (libpcsclite.so.1found)--check --diff— no live GitHub API call when version is pinnedacme_proxy_install_pcsc: false— package task is skipped🤖 Generated with Claude Code