I need to add group and user without password (nologin user) using Ansible script.
I execute the following command:
$ansible-playbook deploy_nagios_client.yml -i hosts -e hosts=qa1-jetty -v
Below is main.yml
---
# Create Nagios User and Group
- name: Add group "nagios"
group: name=nagios
become: true
- name: Add user "nagios"
user: name=nagios groups=nagios password="" shell=/bin/bash append=yes comment="Nagios nologin User" state=present
become: true
Result
If you want to create a nologin user, you should specify that to the shell argument like this:
- name: Add user "nagios"
user:
name: nagios
groups: nagios
shell: /sbin/nologin
create_home: no
append: yes
comment: "Nagios nologin User"
state: present
become: true
As far as I can tell, adding a user with the user module does what you want if you leave off the password attribute entirely.
Related
im trying to run a playbook that will create a user and will add it to /etc/sudoers,
so i wrote this thing
- hosts: "{{ hostname }}"
vars_prompt:
- name: user
prompt: "Enter user"
private: no
- name: password
prompt: "Enter password"
tasks:
- name: Create the new user
user:
name: "{{ user }}"
state: present
#state: absent
password: "{{ password | password_hash('sha512', 'password') }}"
groups: SSHusers
- name: Add line in /etc/sudoers
lineinfile:
dest: /etc/sudoers
line: "User_Alias LINUX_ADMINS = Example, {{ user }}"
regexp: "^User_Alias LINUX_ADMINS."
state: present
#state: absent
- name: Run chage for user
command: chage -d 9999999999 "{{ user }}"
- name: Run chage for user
command: chage -M -1 "{{ user }}"
the problem is that i replace the line in - name: Add line in /etc/sudoers
an the i have to change it every time i add a new user.
i need to run something like that on the host Admin_Users=$(grep -w 'LINUX_ADMINS =' /etc/sudoers) and bring the var back so that my playbook will be able to use it ,
any suggestion to how should i do it ?
thanks for the help
You have to restructure your playbook.
You still run the "user" task for each user.
But you run the "lineinfile" task not for a single user but for all users together.
If you pass all users to "lineinfile", the task can craft the whole line at once. And so the problem to change the line incrementally for each user disappears.
I'm new to ansible and trying to create new user with encrypted password using ansible-vault. The taget system is OpenBsd, and I'm using ansible 2.10 on Ubuntu 20.04
.
The "problem" is once the playbook finished, I get this message in output
"passord": "NOT_LOGGING_PASSWORD" and the password is not set/update.
I first create and edit my vault file using ansble-vault.
Content of my vault file:
user_pass: pass
Here is my playbook:
- name: Add new user
hosts: all
vars_files:
- "../vars/pass.yml"
tasks:
- name: Add regular user
user:
name: foo
update_password: always
password: "{{ vault_user_pass | password_hash('sha512') }}"
create_home: yes
shell: /bin/sh
generate_ssh_key: yes
ssh_key_type: rsa
ssh_key_bits: 2048
ssh_key_passphrase: ''
become_user: root
Do you have any idea why the password is not set/update ? I tried to print the vault variable to check if var is readable or not, using debug module and yes, it is. The user is created but with another password. I also tried to hash the password using mkpasswd but same results.
If you need further informations, don't hesitate :).
Thank you in advance.
The variable name is user_pass, even though your variable is in a vault file you don't need to use the vault prefix.
Try as below
- name: Add new user
hosts: all
vars_files:
- "../vars/pass.yml"
tasks:
- name: Add regular user
user:
name: foo
update_password: always
password: "{{ user_pass | password_hash('sha512') }}"
create_home: yes
shell: /bin/sh
generate_ssh_key: yes
ssh_key_type: rsa
ssh_key_bits: 2048
ssh_key_passphrase: ''
become_user: root
I am running below playbook. which will login to the server using ec2-user but mysql-java-connector will be installed, my test1 user.
---
- hosts: cluster
become: yes
remote_user: ec2-user
tasks:
- name: Create test1 User
user:
name: test1
password: '$6$jQX0JQzf8GB$NI/Pv1rMLyxWYaFCGNsbrun3sfn5bXSzg89Ip.ga2yf3n7hhrjiPsEo5IChIA7X8xVxnuZzm2sWA7IRM6qZOR0'
state: present
shell: /bin/bash # Defaults to /bin/bash
system: no # Defaults to no
createhome: yes # Defaults to yes
home: /home/test1
- name: Add users to sudoers
lineinfile:
dest : /etc/sudoers
state: present
line: 'test1 ALL=(ALL) NOPASSWD: ALL'
- name: Install mysql java connector
become_user: test1
become_method: sudo
yum: name=mysql-connector-java state=present
Gets below error:
fatal: [xxx.xxx.xxx.211]: FAILED! => {"changed": false, "msg": "You need to be root to perform this command.\n", "rc": 1, "results": [""]}
Same error, you should include become and become_user. In some cases add become method. More
- hosts: somehost
name: Install something
become: yes
remote_user: yourname
become
set to yes to activate privilege escalation.
become_user
set to user with desired privileges — the user you become, NOT the user you login as. Does NOT imply become: yes, to allow it to be set
at host level. Default value is root.
Add ansible_user=Your-User and ansible_become=true in /etc/ansible/hosts file to remove this error:
You need to be root to perform this command
Replace become_user: test1 to become_user: root (or delete this line, because become_user is root by default).
Please read Understanding privilege escalation for more information.
I have some servers which I want to administer with ansible. Currently I need to create user acounts on all of them. On some of them, some accounts are already present. I want to create the users with a default password, but if the user exist don't change his password.
Can someone help me with this condition ?
Here is my playbook :
---
- hosts: all
become: yes
vars:
sudo_users:
# password is generated through "mkpasswd" command from 'whois' package
- login: user1
password: hashed_password
- login: user1
password: hashed_password
tasks:
- name: Make sure we have a 'sudo' group
group:
name: sudo
state: present
- user:
name: "{{ item.login }}"
#password: "{{ item.password }}"
shell: /bin/bash
groups: "{{ item.login }},sudo"
append: yes
with_items: "{{ sudo_users }}"
From the docs of user module:
update_password (added in 1.3) always/on_create
always will update passwords if they differ. on_create will only set the password for newly created users.
I have a set of Ansible playbooks and the main yml file is like this
- hosts: all
roles:
- common
- install_nginx
I want to add the confirm message when I trigger the playbook. I tried this and did not work
- hosts: all
vars_prompt:
- name: CONFIRM
prompt: Just to confirm you will install stuff
tasks:
- fail: no deployment this time
when: CONFIRM != 'yes'
roles:
- common
- install_nginx
How can I use vars_prompt in this case without modify every role?
If you look at the output from running your playbook with the vars_prompt you'll see that the fail task runs after the other roles. This is also mentioned in the Ansible docs for playbooks and roles:
If the play still has a ‘tasks’ section, those tasks are executed
after roles are applied.
As the above docs also mention if you want to force a task to run before any roles then you can use pre_tasks.
So to have your confirmation style prompt you could simply do this:
- hosts: all
vars_prompt:
- name: CONFIRM
prompt: Just to confirm you will install stuff
pre_tasks:
- fail: no deployment this time
when: CONFIRM != 'yes'
roles:
- common
- install_nginx
I am not very sure, but the way this works is :
- hosts: all
vars_prompt:
- name: "confirm"
prompt: Just to confirm you will install stuff
private: no
default: "no"
tasks:
- name: Install Nginx
apt: name=nginx
sudo: true
when: confirm == "yes"
Now if we need to call each role based on a condition , i suppose we shoud be using tags.
How to use Ansible vars_prompt for roles
i got the solution to use vars_prompts in ansible role section
i have directly included vars_prompt in my main.yml playbook as like before
- hosts: "{{HOSTS}}"
gather_facts: yes
become: yes
roles:
- syslog
- splunk
- nmon
- trendmicro
- user-creation
- extened-history
vars_prompt:
- name: "user_password"
prompt: "Enter User Password"
private: yes
confirm: yes
==========================================================
Below is the ansible command to execute the playbook
# ansible-playbook ort-linux.yml -e "HOSTS=TESTSERVER"
Enter User Password:
confirm Enter User Password:
========================================================
Below is my roles playbook for user id creation
---
- name: "Task-1 create Linux Team user"
user:
name: "{{item}}"
comment: LINUX_UNIX_TEAM
group: LINUX_UNIX_TEAM
shell: /bin/bash
generate_ssh_key: yes
ssh_key_bits: 2048
ssh_key_file: .ssh/id_rsa
createhome: yes
password: "{{user_password|password_hash('sha512')}}"
loop:
- sam
- jack
- kumar
- ravi
tags: linuxuser