How do you add a sudo password to a delegated host?
eg.
hosts: host1
- name: Some remote command
command: sudo some command
register: result
delegate_to: host2
become: yes
I get "Incorrect sudo password" because I assume it is using the sudo pass for host1. Is there a way to make it use a different password?
It has been a while - but I was struggling with this as well and managed to solve it so here is a summarized answer:
As pointed out correctly the issue is that the ansible_become_password variable is set to to your original host (host1) when running the delegated task on host2.
Option 1: Add become password to inventory and delegate facts
One option to solve this is to specify the become password for host2 in your inventory, and secure it using ansible vault (as they have done here: How to specify become password for tasks delegated to localhost). Then you should be able to trigger using the correct sudo pw with delegate_facts as they did here Ansible delegate_to "Incorrect sudo password".
Option 2: Prompt and overwrite pass manually
If you prefer to get prompted for the second sudo password instead, you can do this by using a vars_promt to specify the second sudo pw during runtime:
- hosts: host1
vars_prompt:
- name: custom_become_pass
prompt: enter the custom become password for host2
private: yes
tasks:
...
Then you can just replace the variable ansible_become_password before running your delegated tasks and it will use the correct sudo password:
tasks:
- name: do stuff on host1
...
- name: set custom become
set_fact:
ansible_become_password: '{{ custom_become_pass }}'
- name: perform delegated task
command: sudo some command
register: result
delegate_to: host2
become: yes
You could try to use ansible_become_password variable directly inside the task's var section.
Ansible doc
Related
I need to make the script prompt for enable password after entering in unprivileged mode in cisco ios. So far this is what I have which works but I don't want to put my real "enable" password on anywhere on my computer.
---
- name: Basic Show Commands
hosts: cisco
gather_facts: False
connection: local
tasks:
- name: show run
ios_command:
commands:
- show run
provider:
authorize: yes
auth_pass: my_enable_password
register: show_run
- debug:
var: show_run.stdout_lines
- name: copy show run to file
local_action: copy content={{show_run.stdout[0]}} dest=/mnt/c/Ansible/show_run
I run the playbook as follows:
ansible-playbook -u my_username -k /mnt/c/Ansible/show_run.yaml
How do I make this happen?
This is very old thread, but for the sake of someone new searching for the answer, I did this-
ansible-playbook -u my_username --ask-pass --ask-become-pass /mnt/c/Ansible/show_run.yaml
Also, in the host file,
[host_group:vars]
ansible_become=yes
ansible_become_method=enable
ansible_network_os=ios
An option "to make the script prompt for enable password" would be to use vars_prompt. See the example below
...
vars_prompt:
- name: "my_enable_password"
prompt: "Cisco auth_pass:"
tasks:
...
is there any mechanism that checks if the SSH/SUDO password is correct? When deploying a playbook across the whole environment, after putting in the wrong password, ansible runs on all hosts with the wrong password, it fails and my LDAP/AD account is locked out.
Since, as it turns out, Ansible does not seem to have this functionality, I decided to create a workaround myself:
in site.yml, I added a role that only runs on one server and has 1 or optionally 2 tasks in it. The first one checks if login itself works, the second one checks if sudo works.
- name: Check ssh password first
command: echo "ssh password correct"
changed_when: false
- name: Check sudo password first
command: echo "sudo password correct"
become: yes
changed_when: false
As a good workaround, I usually put this in site.yml:
- hosts: all
gather_facts: false
tasks:
- name: site.yml | Check if Password is correct
become: true
command: echo "PW is correct"
run_once: true
tags:
- always
That task will run always, no matter what tags you start the playbook with and will check if the ssh/sudo password works on one host before hammering all your servers with login requests.
ansible 192.168.1.115 -s -m shell -a "echo -e 'oldpassword\nnewpassword\nnewpassword' | passwd myuser" -u myuser --ask-sudo-pass
I would like to update existing user with new password, I had tried this command, but it doesn't work
appreciate any Tips !
You can leverage the user module to quickly change the password for desired account. Ansible doesn’t allow you to pass a cleartext password to user module so you have to install a password hashing library to be leveraged by Python.
To install the library:
sudo -H pip install passlib
Then simply exexute your command:
ansible 192.168.1.115 -s -m user -a "name=root update_password=always password={{ yourpassword | password_hash('sha512') }}" -u myuser --ask-sudo-pass
Hope that help you
Create your shadow password (linux) with
python -c 'import crypt; print crypt.crypt("YourPassword", "$6$random_salt")'
create
update_pass.yml
execute your ansible-playbook with sudoer (bash)
ansible-playbook update_pass.yml --become --become-method='sudo' --ask-become-pass
Update password for a list of hosts using dynamic variables:
In your inventory file set a variable (pass) as the following:
ip_1# ansible_user=xxxxxx ansible_ssh_pass=xxxx ansible_sudo_pass=xxx pass='aaaa'
ip_2# ansible_user=xxxxxx ansible_ssh_pass=xxxx ansible_sudo_pass=xxx pass='bbbb'
Now in the playbook we make a backup of the shadow file and set cron task to restore the shadow file in case something went wrong than we update the password:
- hosts: your_hosts
gather_facts: no
tasks:
- name: backup shadow file
copy:
src: /etc/shadow
dest: /etc/shadaw.org
become: yes
- name: set cron for backup
cron:
name: restore shadow
hour: 'AT LEAST GIVE YOURSELF ONE HOUR TO BE ABLE TO CALL THIS OFF'
minute: *
job: "yes | cp /tmp/shadow /etc/"
become: yes
- name: generate hash pass
delegate_to: localhost
command: python -c "from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.encrypt('{{pass}}')"
register: hash
- debug:
var: hash.stdout
- name: update password
user:
name: xxxxxx
password: '{{hash.stdout}}'
become: yes
Now we create a new playbook to call off cron task we use the new password for authentication and if authentication failed cron will remain active and restore the old password.
hosts file:
ip_1# ansible_user=xxxxxx ansible_ssh_pass=aaaa ansible_sudo_pass=aaaa
ip_2# ansible_user=xxxxxx ansible_ssh_pass=bbbb ansible_sudo_pass=bbbb
the playbook:
- hosts: your_hosts
gather_facts: no
tasks:
- name: cancel cron task
cron:
name: restore shadow
state: absent
!!Remember:
pass variable contain your password so you may consider using vault.
Give yourself time when setting cron for backup to be able to call it of (second playbook).
In worst case cron will restore the original password.
You need to have passlib installed in your ansible server.
I have a set of Ansible playbooks and the main yml file is like this
- hosts: all
roles:
- common
- install_nginx
I want to add the confirm message when I trigger the playbook. I tried this and did not work
- hosts: all
vars_prompt:
- name: CONFIRM
prompt: Just to confirm you will install stuff
tasks:
- fail: no deployment this time
when: CONFIRM != 'yes'
roles:
- common
- install_nginx
How can I use vars_prompt in this case without modify every role?
If you look at the output from running your playbook with the vars_prompt you'll see that the fail task runs after the other roles. This is also mentioned in the Ansible docs for playbooks and roles:
If the play still has a ‘tasks’ section, those tasks are executed
after roles are applied.
As the above docs also mention if you want to force a task to run before any roles then you can use pre_tasks.
So to have your confirmation style prompt you could simply do this:
- hosts: all
vars_prompt:
- name: CONFIRM
prompt: Just to confirm you will install stuff
pre_tasks:
- fail: no deployment this time
when: CONFIRM != 'yes'
roles:
- common
- install_nginx
I am not very sure, but the way this works is :
- hosts: all
vars_prompt:
- name: "confirm"
prompt: Just to confirm you will install stuff
private: no
default: "no"
tasks:
- name: Install Nginx
apt: name=nginx
sudo: true
when: confirm == "yes"
Now if we need to call each role based on a condition , i suppose we shoud be using tags.
How to use Ansible vars_prompt for roles
i got the solution to use vars_prompts in ansible role section
i have directly included vars_prompt in my main.yml playbook as like before
- hosts: "{{HOSTS}}"
gather_facts: yes
become: yes
roles:
- syslog
- splunk
- nmon
- trendmicro
- user-creation
- extened-history
vars_prompt:
- name: "user_password"
prompt: "Enter User Password"
private: yes
confirm: yes
==========================================================
Below is the ansible command to execute the playbook
# ansible-playbook ort-linux.yml -e "HOSTS=TESTSERVER"
Enter User Password:
confirm Enter User Password:
========================================================
Below is my roles playbook for user id creation
---
- name: "Task-1 create Linux Team user"
user:
name: "{{item}}"
comment: LINUX_UNIX_TEAM
group: LINUX_UNIX_TEAM
shell: /bin/bash
generate_ssh_key: yes
ssh_key_bits: 2048
ssh_key_file: .ssh/id_rsa
createhome: yes
password: "{{user_password|password_hash('sha512')}}"
loop:
- sam
- jack
- kumar
- ravi
tags: linuxuser
I am trying to write a ansible play book to run a command on remote host.
Is it possible to write a host_ip, username and password with in play book?
you can add the hostname if the inventory file under a group like that:
[group-name]
34.67.12.12
and then in the playbook yml you can specify a group to run on like that:
- hosts: group-name
gather_facts: true
sudo: yes
vars_files:
- "group_vars/group-name/config"
roles:
- do-bla-bla
about the username and password its is not secure to write it in the variable file , for that there is ansible vault