I have an inventory like this:
[all:vars]
env_cidr_prefix='172.25'
antother_var="foo"
[VPN_SERVER]
vpn-server ansible_host="{{ env_cidr_prefix}}.0.1"
During ansible playbook, the inventory holds only private ip address.
I wan't to replace the content of "ansible_host=" with the public ip
Example of a playbook:
- name: grab the vpn public_ip
set_fact: PUBLIC_IP="{{ instance_eip.public_ip }}"
when: inventory_hostname |search("vpn-server")
- name: update inventory with the vpn public ip
replace:
path: "{{ inventory_file }}"
regexp: "{{ ansible_host }}"
replace: "{{ PUBLIC_IP }}"
when: inventory_hostname |search("vpn-server")
if
ansible_host="172.25.0.1"
the replace module will work correctly.
but this fails
ansible_host="{{ env_cidr_prefix}}.0.1"
debug output:
ok: [vpn-server] => {
"changed": false,
"invocation": {
"module_args": {
"after": null,
"attributes": null,
"backup": false,
"before": null,
"content": null,
"delimiter": null,
"directory_mode": null,
"encoding": "utf-8",
"follow": false,
"force": null,
"group": null,
"mode": null,
"owner": null,
"path": "/home/toluna/ansible/openvpn/env.properties",
"regexp": "172.25.0.11",
"remote_src": null,
"replace": "1.1.1.1",
"selevel": null,
"serole": null,
"setype": null,
"seuser": null,
"src": null,
"unsafe_writes": null,
"validate": null
}
},
"msg": ""
}
Note, I cant use the add_host module since the playbooks are running in different stages
Is there a better way to do it ?
Thanks
OK, after testing it I guess I understand what are you trying to achieve.
Several parts here:
The inventory file is like this:
vpn-server ansible_host="{{ env_cidr_prefix}}.0.1"
And you are trying to replace 172.25.0.1 literal which doesn't exist in your file. You have "{{ env_cidr_prefix}}.0.1" and not 172.25.0.1.
Options:
If you want to replace that way, you can use a Jinja2 file in your role, replace the variable and the inventory file the same way you are trying.
Override the /etc/hosts file of your Jenkins (I really don't like too much) and play with the host name.
Play with your hosts variable in the playbook like:
Hosts Playbooks:
- name : Test
hosts: "{{ variable_vpn_ip | default('vpn-server') }}"
And call it reading from a variable that you will change ad-hoc or:
ansible-playbook play.yml -e "variable_vpn_ip=172.25.0.1"
Related
After several hours of beating my head against this (not to mention leaving it for a day) I'm pretty much stumped on trying to figure out why I can't JMESPath to return a value in Ansible.
I have a task which runs a shell command and returns the following output:
[
{
"ansible_loop_var": "item",
"changed": false,
"cmd": [
"pvesh",
"create",
"/access/users/user#pve/token/pve-apikey",
"-privsep=0",
"--output=json"
],
"delta": "0:00:00.707130",
"end": "2022-09-22 12:28:43.746253",
"failed": false,
"invocation": {
"module_args": {
"_raw_params": "pvesh create /access/users/\"user#pve\"/token/\"pve-apikey\" -privsep=0 --output=json",
"_uses_shell": false,
"argv": null,
"chdir": null,
"creates": null,
"executable": null,
"removes": null,
"stdin": null,
"stdin_add_newline": true,
"strip_empty_ends": true,
"warn": false
}
},
"item": {
"token": "pve-apikey",
"user": "user#pve"
},
"msg": "",
"rc": 0,
"start": "2022-09-22 12:28:43.039123",
"stderr": "",
"stderr_lines": [],
"stdout": "{\"full-tokenid\":\"user#pve!pve-apikey\",\"info\":{\"privsep\":\"0\"},\"value\":\"dc2aa48f-daf6-4efe-b95e-83774a588988\"}",
"stdout_lines": [
"{\"full-tokenid\":\"user#pve!pve-apikey\",\"info\":{\"privsep\":\"0\"},\"value\":\"dc2aa48f-daf6-4efe-b95e-83774a588988\"}"
]
}
]
I'm now trying to obtain the UUID returned as value in the stdout_line using json_query and this is far as I can get:
- debug:
msg: "{{ token | community.general.json_query(query) }}"
vars:
query: '[].stdout'
This json_query returns the following output:
"msg": [
"{\"full-tokenid\":\"tfuser#pve!tfe-pve-apikey\",\"info\":{\"privsep\":\"0\"},\"value\":\"e47e82d4-6798-47ea-9592-c7cf55cc8b61\"}"
]
I believe that this is a list, so I've tried extending the json_query as [].stdout[].value but that returns null. I've tried various permutations but so far nothing seems to work.
Any advice on how to proceed would be very welcome!
The items of the list stdout_lines are strings. You can test it. For example,
- debug:
var: output.0.stdout_lines.0|type_debug
gives
output.0.stdout_lines.0|type_debug: AnsibleUnsafeText
Convert the items to dictionaries. For example
- debug:
var: output.0.stdout_lines.0|from_yaml
gives
output.0.stdout_lines.0|from_yaml:
full-tokenid: user#pve!pve-apikey
info:
privsep: '0'
value: dc2aa48f-daf6-4efe-b95e-83774a588988
To get the UUID, declare the variable
UUID: "{{ output|map(attribute='stdout_lines')|
map('map', 'from_yaml')|list|
json_query('[].value') }}"
This gives the list of the values
UUID:
- dc2aa48f-daf6-4efe-b95e-83774a588988
Example of a complete playbook for testing
- hosts: localhost
vars:
output: "{{ lookup('file', 'output.json') }}"
UUID: "{{ output|map(attribute='stdout_lines')|
map('map', 'from_yaml')|list|
json_query('[].value') }}"
tasks:
- debug:
var: output.0.stdout_lines.0|type_debug
- debug:
var: output.0.stdout_lines.0|from_yaml
- debug:
var: UUID
I am using command hcloud to create cloud server in Hetzner. I get an output like this:
changed: [localhost] => (item={'name': 'TEST-VARIABLES', 'server_type': 'cx11', 'os_image': 'ubuntu-20.04', 'server_labels': 'Name=test-server', 'server_location': 'hel1'}) => {
"ansible_loop_var": "item",
"changed": true,
"hcloud_server": {
"backup_window": "None",
"datacenter": "hel1-dc2",
"delete_protection": false,
"id": "19461514",
"image": "ubuntu-20.04",
"ipv4_address": "11.111.111.111",
"ipv6": "1a71:7f9:c011:0b09::/64",
"labels": {
"Name": "test-server"
},
"location": "hel1",
"name": "TEST-VARIABLES",
"placement_group": null,
"rebuild_protection": false,
"rescue_enabled": false,
"server_type": "cx11",
"status": "running"
},
"invocation": {
"module_args": {
"allow_deprecated_image": false,
"api_token": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"backups": null,
"datacenter": null,
"delete_protection": null,
"endpoint": "https://api.SERVER.cloud/v1",
"firewalls": null,
"force": false,
"force_upgrade": false,
"id": null,
"image": "ubuntu-20.04",
"labels": {
"Name": "test-server"
},
"location": "hel1",
"name": "TEST-VARIABLES",
"placement_group": null,
"rebuild_protection": null,
"rescue_mode": null,
"server_type": "cx11",
"ssh_keys": null,
"state": "present",
"upgrade_disk": false,
"user_data": null,
"volumes": null
}
},
"item": {
"name": "TEST-VARIABLES",
"os_image": "ubuntu-20.04",
"server_labels": "Name=test-server",
"server_location": "hel1",
"server_type": "cx11"
},
"root_password": "DFLDJFLDFDLFKJDLFKJ"
}
I try to get line with "ipv4_address": "11.111.111.111", and "root_password": "DFLDJFLDFDLFKJDLFKJ", but when I use task:
---
- name: Create a basic server
hcloud_server:
api_token: "{{ token }}"
name: "{{ item.name }}"
server_type: "{{ item.server_type }}"
image: "{{ item.os_image }}"
labels: "{{ item.server_labels }}"
location: "{{ item.server_location }}"
state: present
register: server_info
with_items: "{{ server }}"
- name: Here IP
debug:
var: server_info.root_password
I got error:
TASK [/etc/ansible/roles/CREATE-server : Here IP.] *********************************************************************************************************
ok: [localhost] => {
"server_info.root_password": "VARIABLE IS NOT DEFINED!"
}
Could you please help, how I can get IP line and password line, to use them in the next task (for example to send via email). Thank you!
you register the content of loop, so your result is a list (results):
- name: display
debug:
msg: "ip: {{ item.hcloud_server.ipv4_address }} has password: {{ item.root_password }}"
loop: "{{ server_info.results }}"
result: here you have just one server declared, so just one item in the list results
"msg": "ip: 11.111.111.111 has password: DFDFDFDFDFDFDFDF"
if you want to limit the output of record, you could add loop_control parameter to loop with argument label:
loop: "{{ server_info.results }}"
loop_control:
label: "{{ item.hcloud_server.ipv4_address }}"
you could put another comment if you want with label or even empty string:
loop: "{{ server_info.results }}"
loop_control:
label: "result"
I'm struggling to properly use ansible's user module. The problem is every time I run my playbook, the users I created always show as changed, even if I have already created them.
I found other people with the same issue here, though I am struggling to actually fix it based on the github thread. Probably the most helpful comment that I didn't understand 👇
I can confirm that it only looked like a bug - adding the append
option to two tasks made it so that they're not always undoing the
work of the other, and fixed the permanently changed trigger. I did
not need to add "group:"
This is what my playbook looks like:
- name: Generate all users for the environment
user:
createhome: yes
state: present # to delete
name: "{{ item.user }}"
groups: "{{ 'developers' if item.role == 'developer' else 'customers' }}"
password: "{{ generic_password | password_hash('sha512') }}"
append: yes
with_items:
- "{{ users }}"
My intention is the have every user belong to their own private group (User Private Groups) but also have a developer belong to the developers group. With the current configuration currently it works, with the problem being ansible always reports the user as "changed". I'll then add the developers group to the sudoers file; hence I'd like to add the user to the developers group.
e.g.
vagrant#ubuntu-bionic:/home$ sudo su - nick
$ pwd
/home/nick
$ touch file.txt
$ ls -al
-rw-rw-r-- 1 nick nick 0 Jul 3 12:06 file.txt
vagrant#ubuntu-bionic:/home$ cat /etc/group | grep 'developers'
developers:x:1002:nick,ldnelson,greg,alex,scott,jupyter
Here is the verbose output running against vagrant locally for one of the users:
changed: [192.168.33.10] => (item={'user': 'nick', 'role': 'developer', 'with_ga': False}) => {
"append": true,
"changed": true,
"comment": "",
"group": 1004,
"groups": "developers",
"home": "/home/nick",
"invocation": {
"module_args": {
"append": true,
"comment": null,
"create_home": true,
"createhome": true,
"expires": null,
"force": false,
"generate_ssh_key": null,
"group": null,
"groups": [
"developers"
],
"hidden": null,
"home": null,
"local": null,
"login_class": null,
"move_home": false,
"name": "nick",
"non_unique": false,
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"password_lock": null,
"remove": false,
"seuser": null,
"shell": null,
"skeleton": null,
"ssh_key_bits": 0,
"ssh_key_comment": "ansible-generated on ubuntu-bionic",
"ssh_key_file": null,
"ssh_key_passphrase": null,
"ssh_key_type": "rsa",
"state": "present",
"system": false,
"uid": null,
"update_password": "always"
}
},
"item": {
"role": "developer",
"user": "nick",
"with_ga": false
},
"move_home": false,
"name": "nick",
"password": "NOT_LOGGING_PASSWORD",
"shell": "/bin/sh",
"state": "present",
"uid": 1002
}
Should be unrelated, but I am adding some to the developers group as I intend to grant sudo access for certain commands.
generic_password | password_hash('sha512') is not idempotent. Salt of the hash changes each time the function password_hash runs.
To make it idempotent, either run it with a specific salt
- name: Generate all users for the environment
user:
password: "{{ generic_password | password_hash('sha512', 'mysalt') }}"
, or update the password on_create only
- name: Generate all users for the environment
user:
update_password: on_create
(, or register the return values and declare changed_when).
Consider external management of passwords e.g. Ansible Vault or Passwordstore. There is a lookup plugin for passwordstore. See ansible-doc -t lookup passwordstore. See also my implementation of Passwordstore.
I am new to ansible and executing the following ansible task:
- name: Create symbolic links
file:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ jboss_usr }}"
group: "{{ jboss_grp }}"
state: link
with_items:
- { src: "/apps/etc/jboss", dest: "/etc/jboss" }
- { src: "/apps/var/log/jboss", dest: "/var/log/jboss" }
And I got the following error:
2018-12-21 21:27:23,469 p=15185 u=ex_sam | failed: [hostname.x] (item={u'dest': u'/etc/jboss', u'src': u'/apps/etc/jboss'}) => {
"changed": false,
"invocation": {
"module_args": {
"attributes": null,
"backup": null,
"content": null,
"delimiter": null,
"dest": "/etc/jboss",
"diff_peek": null,
"directory_mode": null,
"follow": true,
"force": true,
"group": "jboss",
"mode": null,
"original_basename": null,
"owner": "jboss",
"path": "/etc/jboss",
"recurse": false,
"regexp": null,
"remote_src": null,
"selevel": null,
"serole": null,
"setype": null,
"seuser": null,
"src": "/apps/etc/jboss",
"state": "link",
"unsafe_writes": null,
"validate": null
}
},
"item": {
"dest": "/etc/jboss-as",
"src": "/apps/etc/jboss"
},
"msg": "Error while linking: [Errno 13] Permission denied",
"path": "/etc/jboss-as",
"state": "absent"
}
I am trying to find out why the symbolic link creation failed.
I read the following:
https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#id6
I says the "changed" attribute is a boolean indicating if the task had to make changes.
But, there are lots of null parameters in the invocation:module_args elements of the json
Does that mean the values are really “null” or they are being set to a default value?
I have looked into the ansible documentation and I am not sure if the invocation:module_args null values are representative of the outcome of the trying to create the symbolic link i.e. are the null input or output of executing the tasks.
I think some of the nulls are defaults, but will appreciate some helpful comments on the possible relation between the json returned in my ansible error log and the actual "Error while linking: [Errno 13] Permission denied".
Thanks all for you anticipated help.
I think, is the permissions on /etc. So probably you need to add the option:
become: true
To your task.
Here is my playbook
- name: Add multiple users
user:
name: "{{ item[0].name }}"
comment: "{{ item[0].comment }}"
uid: "{{ item[0].uid }}"
groups: "{{ item[0].groups}}"
shell: /bin/bash
with_nested:
- "{{ name }}"
- "{{ comment }}"
- "{{ uid }}"
- "{{ groups }}"
Here is my vars file
---
name:
- test1
- test2
comment:
- "comment1"
- "comment2"
uid:
- 150
- 151
groups: "sudo, admin"
I'm not sure what is causing this, any ideas? I believe I may need to use with subelement instead of with nested? Am I on the right track there?
UPDATE:
Changed my code but am now experiencing the following. Updated code and error message
- name: Add new group if it doesn't exist already
group:
name: "{{ group }}"
when: group is defined
- name: Add multiple users
user:
name: "{{ item.0 }}"
comment: "{{item.1 }}"
uid: "{{ item.2 }}"
group: "{{ group }}"
groups: "{{ groups }}"
append: yes
with_together:
- "{{ name }}"
- "{{ comment }}"
- "{{ uid }}"
- "{{ group }}"
And variable file:
name:
- test1
- test2
comment:
- "comment1"
- "comment2"
uid:
- 150
- 151
group: sudo
groups:
- admin
- test
However, now I am receiving this error.
failed: [127.0.0.1] => (item=[u'test1', u'comment1', 150, u'sudo']) => {"failed": true, "invocation": {"module_args": {"append": true, "comment": "comment1", "createhome": true, "expires": null, "force": false, "generate_ssh_key": null, "group": "sudo", "groups": "{'ungrouped': ['127.0.0.1'], 'all': ['127.0.0.1']}", "home": null, "login_class": null, "move_home": false, "name": "test1", "non_unique": false, "password": null, "remove": false, "shell": null, "skeleton": null, "ssh_key_bits": "2048", "ssh_key_comment": "ansible-generated on ubuntu-512mb-sfo1-01", "ssh_key_file": null, "ssh_key_passphrase": null, "ssh_key_type": "rsa", "state": "present", "system": false, "uid": "150", "update_password": "always"}, "module_name": "user"}, "item": ["test1", "comment1", 150, "sudo"], "msg": "Group 'all': ['127.0.0.1']} does not exist"}
failed: [127.0.0.1] => (item=[u'test2', u'comment2', 151, None]) => {"failed": true, "invocation": {"module_args": {"append": true, "comment": "comment2", "createhome": true, "expires": null, "force": false, "generate_ssh_key": null, "group": "sudo", "groups": "{'ungrouped': ['127.0.0.1'], 'all': ['127.0.0.1']}", "home": null, "login_class": null, "move_home": false, "name": "test2", "non_unique": false, "password": null, "remove": false, "shell": null, "skeleton": null, "ssh_key_bits": "2048", "ssh_key_comment": "ansible-generated on ubuntu-512mb-sfo1-01", "ssh_key_file": null, "ssh_key_passphrase": null, "ssh_key_type": "rsa", "state": "present", "system": false, "uid": "151", "update_password": "always"}, "module_name": "user"}, "item": ["test2", "comment2", 151, null], "msg": "Group 'all': ['127.0.0.1']} does not exist"}
The problem is conflicting variable names. groups is a reserved variable and holds the groups from the inventory. And all is a automatically generated group which holds all the hosts of your inventory.
From the docs:
Even if you didn’t define them yourself, Ansible provides a few variables for you automatically. The most important of these are hostvars, group_names, and groups. Users should not use these names themselves as they are reserved. environment is also reserved.
and
groups is a list of all the groups (and hosts) in the inventory. This can be used to enumerate all hosts within a group.
Simply rename your variable and it should work. In general it's a good idea to prefix all variables of a role with the role name. This gets more important if you use 3rd party roles, e.g. from Ansible Galaxy, just to avoid conflicts. So instead of groups you could use myrole_groups and can be quite sure there never will be conflicts.