From 3b6f59a029c4d52ebeaefc4bc5d70e2fc9b3885d Mon Sep 17 00:00:00 2001 From: patrick Date: Sat, 27 Jun 2026 23:19:26 -0400 Subject: [PATCH] fix(proxmox_lxc_provision): post-clone privilege escalation and SSH key regen var name The user-module tasks in post-clone.yml were running without become, so modifying /etc/passwd failed with 'usermod: Permission denied' when the connection user (e.g. admin) was non-root. Add become: true to both password tasks. Block-level become is avoided because the known_hosts task in the same file is delegate_to: localhost and should not sudo on the controller. Also fix the variable name passed to the system_setup ssh tasks_from: post-clone.yml was setting 'regenerate_ssh_keys', but ssh.yml gates on 'regenerate_ssh_host_keys'. The mismatch caused cloned containers to silently keep the source template's SSH host keys. --- roles/proxmox_lxc_provision/tasks/post-clone.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/proxmox_lxc_provision/tasks/post-clone.yml b/roles/proxmox_lxc_provision/tasks/post-clone.yml index 4f6ee8a..c5b204a 100755 --- a/roles/proxmox_lxc_provision/tasks/post-clone.yml +++ b/roles/proxmox_lxc_provision/tasks/post-clone.yml @@ -4,6 +4,7 @@ name: root password: "{{ lxc_root_password | password_hash('sha512') }}" update_password: always + become: true when: lxc_root_password is defined - name: Change user password @@ -11,6 +12,7 @@ name: "{{ lxc_user_name }}" password: "{{ lxc_user_password | password_hash('sha512') }}" update_password: always + become: true when: lxc_user_password is defined - name: Regenerate SSH host keys @@ -18,7 +20,7 @@ name: system_setup tasks_from: ssh vars: - regenerate_ssh_keys: true + regenerate_ssh_host_keys: true - name: Remove previous entry from known hosts ansible.builtin.known_hosts: