I can add passwords to Ubuntu's system keyring, retrievable by Ansible, with the command
keyring set myservice username
by installingsudo apt install python-keyring. This password is then retrievable within an Ansible playbook for example using
ansible_become_pass: "{{ lookup('keyring','myservice username') }}"
See the documentation page for more examples.
But I reinstalled a local computer and I want to re-install/configure a VNC server in it via Ansible. I would like to pick up the saved VNC password that already exists in my computer's (the client) keyring, because I don't want to have the password in plaintext in the middle of a playbook. This password was saved in the keyring by Remmina and does not follow the python-keyring format.
Is there a way to retrieve this password from within an Ansible playbook?
I am new to ansible. I have written an ansible playbook to install vnc. I want to ensure when someone runs the playbook they are prompted for a password. I was able to run the playbook via some code i put together and it prompts for the password but accepts any password.
---
- hosts : test-server
vars_prompt:
- name: password
prompt: "What is your password?"
private: yes
tasks :
- name : install tightvncserver
package : pkg=tightvncserver state=installed
notify:
- start tightvncserver
handlers :
- name : start tightvncserver
service : name=tightvncserver state=started
Please excuse the indentation. Any help will be appreciated
Now, this is where ansible vault comes into picture. Any password or other confidential information has to be stored in ansible vault. If you are not worried about security then you can simply add a when module to check if password matches a specific string or else the best way to solve this would be to prompt for ansible vault password and fetch confidential informations from there.
Alternatively, you can also store your password as key value in a yml variable file and include that in your playbook and add a when condition to check if password provided equals the password mentioned in that variable file.
i have a playbook which generates the credentials for a window host (NTLM).
how can i utilise these credentials to connect to the host after the playbook has been executed. as we are not supplying credential data when running ansible-playbook
is there a way to run a play locally(control node) to generate the credentials and another play for the windows host
I am running a playbook that executes a MySQL update command with
--defaults-extra-file=vault/config.cnf.
This file is encrypted with ansible vault to protect MySQL credentials.
The problem is that when I run ansible-playbook
--vault-id ~/vault/vault-passwd
the MySQL config file is not decrypted and the playbook fails.
Is there a solution to this problem?
I am using ansible 2.0.2.0 to update my static website from any computer. My playbook runs on localhost only and essentially has two parts:
Privileged part: Ensure packages are installed, essentially apt tasks with become: true
Unprivileged part: Fill in templates, minify and sync with web hosting service, essentially command tasks without become.
I would prefer having these two parts in the same playbook so that I do not need to worry about dependencies when switching computers. Ideally, I would like ansible to check if the apt packages are installed and only ask for the become password if it needs to install any.
Other, less satisfactory alternatives that I have explored so far and their drawbacks are highlighted below:
sudo ansible-playbook ...: Runs the unprivileged part as root, asks sudo password when not required;
ansible-playbook --ask-become-pass ...: Always asks sudo password, even if no new packages need to be installed;
ansible-playbook ...: Fails with sudo: a password is required.
Is there any way to keep the privileged and unprivileged parts in the same playbook without needlessly typing the sudo password nor giving needless privileges to the unprivileged part?
If you run ansible-playbook with the --ask-sudo-pass parameter, then your second option will ask you for the password once, and will reuse that each time, where needed.
If do run as sudo as in your first case, then you can use become within the script, to lose your privilege status, as you need it.
However, you can setup ansible.cfg to do remote installs to localhost. Hence you can setup an unprivileged ansible user (I use centos), which is setup to sudo without needing a password. Then I setup my local user in the authorized_keys for the centos user.
Hence you run unprivileged (as centos), but when you need to sudo, you can use become_method: sudo to become root.
Using this method I do bare metal installs with the same ansible playbook, as I do remote AWS installs.
Looking at my ansible.cfg I have:-
[defaults]
hostfile = inventory
# use local centos account, and ask for sudo password
remote_user = centos
#ask_pass = true
#private_key_file = ~/packer/ec2_amazon-ebs.pem
My inventory.yml contains:-
[webservers]
localhost
my setup.sh contains:-
ansible-playbook playbook.yml -vvv
#ansible-playbook --ask-sudo-pass playbook.yml
Hence all password asking statements are off. Remember as I don't specify a private_key_file in the defaults, it assumes the running user has authority to ssh to centos#localhost without requiring a password