I am trying to write a ansible play book to run a command on remote host.
Is it possible to write a host_ip, username and password with in play book?
you can add the hostname if the inventory file under a group like that:
[group-name]
34.67.12.12
and then in the playbook yml you can specify a group to run on like that:
- hosts: group-name
gather_facts: true
sudo: yes
vars_files:
- "group_vars/group-name/config"
roles:
- do-bla-bla
about the username and password its is not secure to write it in the variable file , for that there is ansible vault
Related
I want to parameterize (use a variable) for remote_user in ansible.
This is the first part from the playbook:
- hosts: xxx
remote_user: "centos"
become: true
I will replace it with
- hosts: wazuh
remote_user: "{{ new_user }}"
become: true
But what is a good place to store the value of this variable? It seems group_vars/all mostly contain variables which are more app/env specific than ansible specific. Or should I put it in inventories/hosts as a var? What is the recommended location to store it?
You should actually store it in your inventory as ansible_user either for the all group (for all host), a specific group or a specific host. You can keep a remote_user in your play which will be used in case the ansible_user is not defined for some hosts in your inventory. If you remove it, you local user on the controller will be the default, unless you use the -u flag on the command line.
You can find a good explanation of the difference between ansible_user and remote_user and how the overide works in the documentation on variable precedence
Using a var as you wrote it in your above example can actually work. But since it must be expanded before the play actually starts and any action is taken on any host, the only place you can "store" it is in an extra_var on the command line.
To be a little more practical, here is what I suggest from your above example:
inventories/dev/hosts.yml
---
wazuh:
hosts:
host_a.wazuh.tld:
host.b.wazuh.tld:
inventories/dev/group_vars/wazuh.yml
---
# Vars for the wazuh group
ansible_user: centos
plabook.yml
---
- hosts: wazuh
tasks:
- name: Proove we connected with the given user
cmd: whoami
register: whoami_result
- name: Show actual result
debug:
var: whoami_result.stdout
Launching the playbook:
ansible-playbook -i inventories/dev playbook.yml
In order to connect to a windows host I will need to pass the credentials in an inventory file. Here's my inventory file:
[windows]
100.100.100.100
[windows:vars]
ansible_user=Adminuser
ansible_password="Mypassword"
ansible_port=5986
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore
Ansible documentation says that the credentials should be encrypted with ansible-vault. Can I use a variable file that's been encrypted using ansible-vault in my inventory file? And if so, how do I pass my ansible-vault credentials to my inventory file? I will also be using credentials in my playbook like this:
- hosts: windows
gather_facts: no
vars_files:
- vars.yml
tasks:
- win_domain_membership:
dns_domain_name: my.domain.com
hostname: ansible-host
domain_admin_user: {{ admin_user }}
domain_admin_password: {{ passwd }}
domain_ou_path: "OU=Windows,OU=Servers,DC=ansible,DC=com"
state: domain
register: domain_state
I will then use ansible-vault to encrypt my variable file for this playbook.
---
admin_user:myusername#my.domain.com
passwd:mypassword
And then pass my ansible-vault credentials to my playbook at the command line:
$ ansible-playbook myplaybook.yml --ask-vault-pass
Is it possible to store both the variable file used in my inventory and the variable file used in my playbook in the same ansible-vault? That way I can pass the ansible-vault credentials for both files at the command line?
The ansible-vault command encrypts a single file. Ansible decrypts this at runtime and interprets it the same way it would if the file had been unencrypted (so you can't "store both the variable file used in my inventory and the variable file used in my playbook in the same ansible-vault" because those are two different files).
I would just remove the variable from your inventory, leaving it like this:
[windows]
100.100.100.100
And then create group_vars/windows.yml as a vaulted file with the following content (ansible-vault create groups_vars/windows.yml):
ansible_user: Adminuser
ansible_password: "Mypassword"
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
Ansible will automatically apply the variables in group_vars/windows.yml when you have a play that targets the windows group.
How do you add a sudo password to a delegated host?
eg.
hosts: host1
- name: Some remote command
command: sudo some command
register: result
delegate_to: host2
become: yes
I get "Incorrect sudo password" because I assume it is using the sudo pass for host1. Is there a way to make it use a different password?
It has been a while - but I was struggling with this as well and managed to solve it so here is a summarized answer:
As pointed out correctly the issue is that the ansible_become_password variable is set to to your original host (host1) when running the delegated task on host2.
Option 1: Add become password to inventory and delegate facts
One option to solve this is to specify the become password for host2 in your inventory, and secure it using ansible vault (as they have done here: How to specify become password for tasks delegated to localhost). Then you should be able to trigger using the correct sudo pw with delegate_facts as they did here Ansible delegate_to "Incorrect sudo password".
Option 2: Prompt and overwrite pass manually
If you prefer to get prompted for the second sudo password instead, you can do this by using a vars_promt to specify the second sudo pw during runtime:
- hosts: host1
vars_prompt:
- name: custom_become_pass
prompt: enter the custom become password for host2
private: yes
tasks:
...
Then you can just replace the variable ansible_become_password before running your delegated tasks and it will use the correct sudo password:
tasks:
- name: do stuff on host1
...
- name: set custom become
set_fact:
ansible_become_password: '{{ custom_become_pass }}'
- name: perform delegated task
command: sudo some command
register: result
delegate_to: host2
become: yes
You could try to use ansible_become_password variable directly inside the task's var section.
Ansible doc
I have a playbook running against multiple servers. All servers require a sudo password to be specified, which is specific to each user running the playbook. When running the playbook, I can't use --ask-become-pass, because the sudo passwords on the servers differ. This is the same situation as in another question about multiple sudo passwords.
A working solution is to specify ansible_become_pass in host_vars:
# host_vars/prod01.yml
ansible_become_pass: secret_prod01_password
domain: prod01.example.com
# host_vars/prod02.yml
ansible_become_pass: secret_prod02_password
domain: prod02.example.com
Besides ansible_become_pass, there are other variables defined per host. These variables should be committed to the git repository. However, as ansible_become_pass is specific to each user running the playbook, I'd like to have a separate file (ideally, vaulted) which specifies the password per host.
I imagine the following:
# host_vars/prod01.yml: shared in git
domain: prod01.example.com
# host_vars/prod01_secret.yml: in .gitignore
ansible_become_pass: secret_prod01_password
I imagine both files to be combined by Ansible when running the playbook. Is this possible in Ansible? If so, how?
You should be able to use the include_vars task with the inventory_hostname or ansible_hostname variable. For example:
- name: Include host specific variables
include_vars: "{{ ansible_hostname }}.yml"
- name: Include host specific secret variables
include_vars: "{{ ansible_hostname }}_secret.yml"
An even better solution would be to address the problem of users having unique passwords on different hosts.
You could create a new group in the inventory file, maybe sudo-hosts. Put all your sudo host in this group. Then create a file under the directory group_vars with the name of this goup. In this file put the secret yaml-structured text.
sudo_hosts:
host1:
password: xyz
othersecret_stuff: abc
host2:
...
then use ansbile-vault to encrypt this file with ONE password. Call the playbook with option --ask-vault-pass
and you can use your secrets with
"{{ sudo_host['ansible_host'].password }}"
i have an shh key from /home/renz/.shh/id_rsa.pub. I want to add this to my target host in /root/.shh/authorized_keys through ansible. I tried this but didn't work.
---
- hosts: snapzio
tasks:
- name: Set authorized key took from file
authorized_key:
user: master
state: present
key: "{{ lookup('file', '/home/renz/.ssh/id_rsa.pub') }}"
path: /root/.ssh/authorized_keys
because in the first place, i cannot communicate with the host because my key is not in the authorized keys. I think this idea makes sense if i want to communicate to many hosts. instead of just manually copy and paste the key.
As others have mentioned, if the account you use with Ansible doesn't have a SSH key installed, you'll have to fall back to using password authentication. Assuming InstallMyKey.yml is your playbook, you could run something like this:
ansible-playbook InstallMyKey.yml --ask-become-pass
You'll need to add the remote_user: root line to your YML between the hosts: and tasks: lines, then type in the root password.
Assuming the playbook succeds and everything else in the root SSH settings are correct, your next run of a playbook should use the renz ssh key and get on without a password.