I want to create a file (namely an id_rsa key) using ansible.
It seems that using the copy builtin module is no longer recommended and users are advised to use template.
If I understand correcly, I will have to put the contents of the id_rsa to an id_rsa.j2 and then render it on the target host.
This of course will then have to be encrypted with ansible-vault.
My question is whether there is a workaround (since I already have a vars file with secrets) so that I add the contents of the private key to this (already encrypted) file to avoid adding yet another encrypted file just for this purpose.
You wouldn't put any sensitive information in your template, just the variable name, the same way you would have with copy + content.
{{ my_private_key_var }}
Related
I have a playbook with the following task that must copy the 2 Gb file from local to remote servers and extract files:
- name: Copy archived file to target server and extract
unarchive:
src: /path_to_source_dir/file.tar.gz
dest: /path_to_dest_dir
This task fails because ansible copies file to /home mount point on the target server and there's not enough space there:
sftp> put /path_to_source_dir/file.tar.gz /home/my_user_name/.ansible/tmp/ansible-tmp-1551129648.53-14181330218552/source
scp: /home/my_user_name/.ansible/tmp/ansible-tmp-1551129648.53-14181330218552/source: No space left on device
The reason for that is because ansible.cfg has a default parameter:
remote_tmp = ~/.ansible/tmp
How to overwrite this parameter from the playbook (if possible) and make ansible to copy file to the same destination directory specified in the task? So it would be like this:
remote_tmp = /path_to_dest_dir/.ansible/tmp
And the destination path is going to be different each time for a different target server!
Cleaning /home is not an option for me.
The answer here unfortunately is not very clear to me.
There are a few different ways to achieve what you are looking to do. Which one is a matter of preference and your use case.
You found the first way, setting an environment variable before running the playbook. Great for a quick on-the-fly job. Remembering to do that every time you run a certain playbook is indeed annoying. A slight variation of that is to use the environment keyword to set that variable for the play. You can also set environment variable in a role, block or a single task. https://docs.ansible.com/ansible/devel/reference_appendices/playbooks_keywords.html?highlight=environment%20directive. Here is an example of it in use: https://docs.ansible.com/ansible/devel/reference_appendices/faq.html?highlight=environment.
Using the environment keyword in a play et al works well for a specific application of automation, but what if you want Ansible to always use a different remote tmp path for specific servers? Like all variables, the remote_tmp can be sourced from inventory host and group variables not just the config file or environment variables. You need to mind you variable precedence if it is being set in different places. With this you could set remote_tmp in your inventory for that host or a group of hosts. Ansible will always use that path for that host or hosts in that group without having to define it in every play or roles. If you need to change that path, you change it in your inventory and it changes the behavior for all playbook runs without any additional edits. Here is an example of it being used as a host variable in static inventory: https://docs.ansible.com/ansible/devel/reference_appendices/faq.html?highlight=remote_tmp#running-on-solaris
So while the specific issue of "dynamically" setting the remote tmp directory on a host is not a best practice topic per se, it does become an example of the best practice of making the most of variables in Ansible.
For reference, remote temporary directories are handled by the shell plugins. While many parameters are shared, there are others that are specific to the shell Ansible using. Ansible uses sh by default. https://docs.ansible.com/ansible/latest/plugins/shell/sh.html
Hope that helps. Happy automating.
I use a streaming service (di.fm) that has many channels. Each channel has a playlist I stream from the CLI (using mpv). Each URL in each playlist stores the API KEY.
I want to store the API KEY outside of the individual playlists, so for example, if I change the API KEY, I don't have to change every playlist.
I'm on a Mac.
1) What is the best (safest) place to declare export DI_KEY=""? In .bashrc was my first thought, except I back it up to github. Any other better place to declare the env var that will be created each time I enter bash?
2) In the playlist file, how do I use the $DI_KEY in the URL?
[playlist]
NumberOfEntries=1
File1=http://prem4.di.fm:80/00sclubhits?$DI_KEY
Title1=DI.FM - 00s Club Hits
Length1=0
Version=2
Just referencing it directly doesn't work.
I'm sure this may be answered elsewhere, but in all my searching I couldn't find any helpful answers, particularly to questions 2.
Regarding setting env variables outside of .bashrc, you could create a separate file to define sensitive variables and source this from within your .bashrc.
For example, create a file ~.my-private-variables, add the filename to your .gitignore and add the line export DI_KEY="12345" to this file. Then add the following block in .bashrc:
if [ -f ~/.my-private-variables ]; then
. ~/.my-private-variables
fi
Regarding the playlist file, bash is not running the file, so the environment variable is not expanded.
You could dynamically generate the playlist when bash starts, something like this:
#!/bin/bash
filename=playlist-1.pls
baseurl=http://prem4.di.fm:80
cat << EOF > $filename
[playlist]
NumberOfEntries=1
File1=${baseurl}/00sclubhits?${DI_KEY}
Title1=DI.FM - 00s Club Hits
Length1=0
Version=2
EOF
This will expand the variable and write it to the file, in this case playlist-1.pls in the current working directory. You might add an absolute path to the filename variable that references your playlists directory.
To run this, you could create a script called playlist-generator and source this in .bashrc as described above. You could add as many playlists as you like here.
Is it possible within an Ansible host file to refer to hosts within a group like my provided sample or is there any other way of doing it directly in the host file? (I would prefer not to change existing playbooks or use limit flags)
# Handled by terraform with company policies (can't change this)
[web]
direct-15-67-156-6.bdb.company.com
direct-12-67-116-124.lia.company.com
[lb]
direct-12-68-117-13.osp.company.com
# BEGIN ANSIBLE MANAGED BLOCK
[mywebsite]
web[0]
[gatling]
web[1]
You can't do anything like you suggest with a static hosts file, however the static hosts file can be replaced with a script, and then you are free to use whatever logic you wish to build out your groups and hosts. Perhaps you can persuade Terraform to produce the data in a JSON file (or similar) that your inventory script could then consume?
Docs are here.
We are using vagrant and ansible to create standard development environments.
The ansible playbooks, vagrant files, etc. are in a git repository.
I've using variable file separation to refer to variable files in the developer's home directory for some senstitive and/or user-specific information (e.g. email address).
We use the variables by doing a vars_file: as part of the playbook, but have to do it for every play.
I don't want to put it in the group_vars/all file because it would then be in the repository and not specific to the user.
I would rather not have a file in the repository that is ignored because people still manage to include it and it screw everybody else up.
Is there a way of doing an equivalent of groups/all which can contain tasks and/or variable definitions that will automatically run whenever a playbook is run?
We use the variables by doing a vars_file: as part of the playbook, but have to do it for every play.
Nope, you can do it on playbook level. (But this might be a new thing, could have been impossible back then, I did not check.)
Is there a way of doing an equivalent of groups/all which can contain tasks and/or variable definitions that will automatically run whenever a playbook is run?
Automatically run/included when?! I don't think this is possible as there would be a lot of open questions like:
Should this be specified on the target machine or the ansible server?
How do you specify for which user should this happen on which host?
If there are tasks: do you want this to be executed on each playbook
when it is run using the given user? What about tasks which specifies
that they run as root (become)? What about tasks that specify a
given user to be executed as? What about tasks that are run as root
but creates a file with the owner matching the given user?
As there are no user scopes with variables and we don't really have a "user context" outlined (see the last questions) we are currently stuck with inclusion of variable files explicitly. Hence the below options:
You can keep using vars_file and specify a first found list.
vars_file:
- - ~/ansible_config/vars.yml
- <default vars file somewhere on the machine>
This way the ansible executor user can redefine values...
You can use the --extra-vars #<filepath> syntax to include all variables from a file, and you can have more than one of these.
A similar thing I do is that I include every variable from every yml file within my GLOBAL_INPUT_DIR (which is an environment variable that can be defined before running the bash script executing ansible-playbook or in a your bash profile or something).
EXTRA_ARGS=`{
{
find "${GLOBAL_INPUT_DIR}" -iname "*.yml";
}\
| while read line; do echo "--extra-vars #${line} "; done \
| tr -d "\n"
}`
ansible-playbook $# ${EXTRA_ARGS}
I usually include something like this in my doings to provide an easy way of redifining variables...
BUT: be aware that this will redefine ALL occurances of a variable name within the playbook (but this was also true with vars_file).
I have a ruby script main.rb which takes in two parameters, ipaddress and apitoken.
$token = "VALUE"
$ip_addr = "ADDRESS"
These values are hard coded into the script. When I push the project into Github's repo, I get a warning that my keys are visible.
What is the recommended way to hide these variables? Is it as simple as adding a separate file for these values and adding them to .gitignore?
Personally, I don't like using open and file operations in code. Better way would be to use one of the following approaches,
Put the keys in system environment as follows,
export MY_TOKEN=xyz
export MY_IP_ADDR=a.b.c.d
If you want it to be available after you restart shell, then put it in ~/.bash_profile.
and in your code use as follows,
$token = ENV["MY_TOKEN"]
$ip_addr = ENV["MY_IP_ADDR"]
OR
You can use dotenv gem, if you don't want system wide environment variables and exclude .env from git but putting the file in .gitignore.
Following this guide, a simple way to do this is to create folders .auth_token and .ip_addr.
Add the necessary keys in them and access them by reading the files as follows:
$token = open("lib/assets/.auth_token").read()
$ip_addr = open("lib/assets/.ip_addr").read()
If pushing to a repository, make sure the folders are added to .gitignore