I am searching for a way to force password prompt on the role for the remote connection. I wish to overwrite default remote_user set in ansible.cfg only for the one role and allow others to run under default one. Is it a way to achieve it?
Related
I am familiar with the solution of ansible-vault feature.
Our passwords are stored as a call to an external lookup (to be specific - Cyberark password).
However, a regular user can still with simple debug command to see them
ansible -m debug -a var=ansible_password <some host>
I am familiar with ansible feature known as "no_log". When you set this attribute on a task, or on a specific variable (in Ansible argument spec) - the output is hidden, even with high verbosity
Is there a way to set this attribute on ansible_password variable? so no one can print it?
The only other solution we came up with is to use vault, but all the cyberarcpassword lookup came up in order to "cut of" the vault feature...
You can set the password to expire or change in Cyberark after each call or execution. Why to worry about user seeing Cyberark's password? It may be useless after Ansible using it.
How could I create a list for all possible commands an ansible-playbook is using so that I could create a sudoers file?
For testing the playbooks, temporally I create an entry in the /etc/sudoers.d:
tempuser ALL=(ALL:ALL) NOPASSWD:ALL
But is there a plugin or way to get like the list of commands so that I could later create a list like
tempuser ALL= NOPASSWD: /bin/systemctl start mariadb.service
...
Any ideas?
If you intend to use privilege escalation with ansible then privilege escalation must be general
You cannot limit privilege escalation permissions to certain commands. Ansible does not always use a specific command to do something but runs modules (code) from a temporary file name which changes every time. If you have ‘/sbin/service’ or ‘/bin/chmod’ as the allowed commands this will fail with ansible as those paths won’t match with the temporary file that Ansible creates to run the module. If you have security rules that constrain your sudo/pbrun/doas environment to running specific command paths only, use Ansible from a special account that does not have this constraint, or use Red Hat Ansible Tower to manage indirect access to SSH credentials.
As demonstrated in the above documentation quote, this is a well known limitation of the tool. If this is a problem in your environment, either look at the above proposed workarounds in documentation quote, or don't use ansible at all.
When I run an Ansible playbook, how do I pass multiple password files on the command line?
I want to run this:
ansible-playbook --vault-password-file /path/to/vault-password-file my_playbook.yml
but I want to pass multiple password files, because I use multiple variables in the playbook that use different passwords that are stored in different password files.
How do I do that?
(I'm using Ansible 2.9.16, but can upgrade to 2.10.x if that helps, I'm not bound to any specific version)
You can leverage the vault-ids concept(Introduced in Ansible v2.4) to fix your problem.
Sample command below,
ansible-playbook --vault-id dev#dev-password --vault-id prod#prompt site.yml
dev -> Is the vault ID
dev-password -> Points to the password to be used
prod -> Another vault ID
prompt -> Prompts for the password
Ansible Docs for complete workflow and setup: https://docs.ansible.com/ansible/2.6/user_guide/vault.html#vault-ids-and-multiple-vault-passwords
Vault IDs setup with existing password files
Ansible config file setup
vault_identity_list = vaultid1#~/path_to_pass1_file/.pass1 , vaultid2#~/path_to_pass2_file/.pass2
Encrypt the file using the respective vaultid
ansible-vault encrypt --encrypt-vault-id vaultid1 file_to_be_encrypted_1
ansible-vault encrypt --encrypt-vault-id vaultid2 file_to_be_encrypted_2
Run your playbook and it will automatically pick the configuration from the ansible.cfg and decrypt the contents.
I'm trying to use Ansible to provision a server and the first thing I want to do is test the ssh access. If I use ssh directly I can log in fine...
ssh root#server
root#backups's password:
If I use Ansible I can't...
user#ansible:~$ ansible backups -m ping --user root --ask-pass
SSH password:
backups | UNREACHABLE! => {
"changed": false,
"msg": "Invalid/incorrect password: Permission denied, please try again.",
"unreachable": true
}
The password I'm using is correct - 100%.
Before anyone suggests using SSH keys - that's what part of what I'm looking to automate.
The issue was caused by the getting started documentation setting a trap.
It instructs you to create an inventory file with servers, use ansible all -m ping to ping those servers and to use the -u switch to change the remote user.
What it doesn't tell you is that if like me not all you servers have the same user, the advised way to specify a user per server is in the inventory file...
server1 ansible_connection=ssh ansible_user=user1
server2 ansible_connection=ssh ansible_user=user2
server3 ansible_connection=ssh ansible_user=user3
I was provisioning a server, and the only user I had available to me at the time was root. But trying to do ansible server3 -user root --ask-pass failed to authenticate. After a couple of wasted hours I discovered the -user switch is only effective if the inventory file doesn't have a user. This is intended precedence behaviour. There are a few gripes about this in GitHub issues but a firm 'intended behaviour' mantra is the response you get if you challenge it. It seems to go against the grain to me.
I subsequently discovered that you can specify -e 'ansible_ssh_user=root' to override the inventory user - I will see about creating a pull request to improve the docs.
While you're here, I might be able to save you some time with some further gotchas. This behaviour is the same if you use playbooks. In there you can specify a remote_user but this isn't honoured - presumably also because of precedence. Again you can override the inventory user with -e 'ansible_ssh_user=root'
Finally, until I realised Linode could provision a server with an SSH key deployed, I was trying to specify the root password to an ad-hoc command. You have to encrypt the password and this gives you a long string and this is almost certainly going to include $ in it which bash will treat as substitutions. Make sure you escape these.
The lineinfile module behaviour isn't intuitive either.
Write your hosts file like this. It will work.
192.168.2.4
192.168.1.4
[all:vars]
ansible_user=azureuser
Then execute the following command: ansible-playbook --ask-pass -i hosts main.yml --check to check before configuration.
Also create a ansible.cfg file. Then paste the following contents there:
[defaults]
inventory = hosts
host_key_checking = False
Note: All the 3 files namely, main.yml,ansible.cfg & hosts must be in the same folder.
Also, the code is tested for devices connected to a private network using Private IPs. I haven't checked using Public IPs. If using Azure/AWS, create a test VM and connect it to the VPN of the other devices.
Note: You need to install the SSHPass package to be able to authenticate with Password.
For Ubuntu: apt-get install sshpass
I need to use the --ask-become-pass parameter for specific host and I would prefer If it could be done in an inventory file. Is this possible?
Some host require a password while other dont. So I dont want to add the --ask-become-pass when running a playbook. I only need for specfic hosts.