I am newbie to Ansible and follow this tutorial to create a security group and an ec2 instance. The security group is created successfully, but creating ec2 instance is failed by ec2:
error: unrecognized arguments:
/home/ec2-user/.ansible/tmp/ansible-tmp-14244....
I did set up aws credentials and asnsible variables properly as below
# AWS Credentials
export AWS_ACCESS_KEY_ID=xxx
export AWS_SECRET_ACCESS_KEY=xxx
# EC2 Environment Variables
export ANSIBLE_HOSTS=/etc/ansible/ec2.py
export EC2_INI_PATH=/etc/ansible/ec2.ini
The files and output are showed as follow. Any ideas for this issue? Thanks for your Help!
$ cat group_vars/all
# Variables listed here are applicable to all host groups
key_name: sobrr-staging.pem
aws_region: cn-north-1
ami_id: ami-9e0c9ea7
instance_type: m1.small
$ cat basic-create.yml
# Basic provisioning example
- name: Create AWS resources
hosts: localhost
connection: local
gather_facts: False
tasks:
- name: Create security group
ec2_group:
name: my-security-group
description: "A Security group"
region: "{{aws_region}}"
rules:
- proto: tcp
type: ssh
from_port: 22
to_port: 22
cidr_ip: 0.0.0.0/0
rules_egress:
- proto: all
type: all
cidr_ip: 0.0.0.0/0
register: basic_firewall
- name: debug basic_firewall
debug: 'msg="{{ basic_firewall }}"'
- name: create an EC2 instance
local_action:
module: ec2
key_name: "{{key_name}}"
region: "{{aws_region}}"
group_id: "{{basic_firewall.group_id}}"
instance_type: "{{instance_type}}"
image: "{{ami_id}}"
count: 1
wait: yes
register: basic_ec2
- name: debug instance start
debug: 'msg="{{ basic_ec2 }}"'
OUTPUT
ansible-playbook -i /etc/ansible/hosts -vvvv basic-create.yml
/usr/lib64/python2.6/site-packages/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec. You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
_warn("Not using mpz_powm_sec. You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)
PLAY [Create AWS resources] ***************************************************
TASK: [Create security group] *************************************************
<localhost> region=cn-north-1 description=A Security group name=my-security-group
<localhost>
<localhost>
<localhost> u'LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/ec2-user/.ansible/tmp/ansible-tmp-1424461765.15-98406246607462/ec2_group; rm -rf /home/ec2-user/.ansible/tmp/ansible-tmp-1424461765.15-98406246607462/ >/dev/null 2>&1']
ok: [localhost] => {"changed": false, "group_id": "sg-63fae101"}
TASK: [debug basic_firewall] **************************************************
ok: [localhost] => {
"msg": "{'invocation': {'module_name': u'ec2_group', 'module_args': ''}, 'changed': False, 'group_id': 'sg-63fae101'}"
}
TASK: [create an EC2 instance] ************************************************
<127.0.0.1> instance_type=m1.small image=ami-9e0c9ea7 group_id=sg-63fae101 region=cn-north-1 key_name=sobrr-staging.pem
<127.0.0.1>
<127.0.0.1>
<127.0.0.1>
<127.0.0.1> u'LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/env python /home/ec2-user/.ansible/tmp/ansible-tmp-1424461765.54-184834253412898/ec2 /home/ec2-user/.ansible/tmp/ansible-tmp-1424461765.54-184834253412898/arguments; rm -rf /home/ec2-user/.ansible/tmp/ansible-tmp-1424461765.54-184834253412898/ >/dev/null 2>&1']
failed: [localhost -> 127.0.0.1] => {"failed": true, "parsed": false}
usage: ec2 [-h] [--list] [--host HOST] [--refresh-cache]
ec2: error: unrecognized arguments: /home/ec2-user/.ansible/tmp/ansible-tmp-1424461765.54-184834253412898/arguments
FATAL: all hosts have already failed -- aborting
PLAY RECAP ********************************************************************
to retry, use: --limit #/home/ec2-user/basic-create.retry
localhost : ok=2 changed=0 unreachable=0 failed=1
The key_name parameter in Ansible ec2 module refers to the ssh public key you uploaded or created(if you want to reuse the previous key) in your AWS account. You may want to verify it matches the name you specified in the AWS account.
My guess is that the key name in you AWS account is sobrr-staging, not sobrr-staging.pem
Try use sobrr-staging and see how that goes.
Related
New ansible user
Here is my playbook.
---
- name: Creating Local User Account on RHEL Systems.
hosts: hapansible05
become: true
vars:
passwd: WSXcde1234
tasks:
- name: Creating Local User
user:
name: svc_cldscp
password: "{{ passwd | password_hash('sha512') }}"
comment: svc_cldscp-ServiceAcct
shell: /bin/bash
Keep getting this message on RHEL server
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
PLAY [Creating Local User Account on RHEL Systems.] ********************************************************************************************************
TASK [Gathering Facts] *************************************************************************************************************************************
ok: [hapansible05]
TASK [Creating Local User] ***********************************************************************************************************************************
****fatal: [hapansible05]: FAILED! => {"changed": false, "msg": "usermod: user 'svc_cldscp' does not exist in /etc/passwd\n", "name": "svc_cldscp", "rc": 6}******
PLAY RECAP *************************************************************************************************************************************************
hapansible05 : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
A working practice example for creating and configuring local users via user module with a filter for Hashing and encrypting strings and passwords is
---
- name: Create local user account on RHEL System
hosts: rhel.example.com
become: true
vars:
pwd: "WSXcde1234"
tasks:
- name: Create and configure user in local system
user:
name: "svc_cldscp"
password: "{{ pwd | password_hash('sha512') }}"
system: false # Defaults to no
createhome: true # Defaults to yes
uid: '1234' #
group: '1234' # Need to exist before
shell: /bin/bash # Defaults to /bin/bash
comment: "Service Account"
state: present
Is this the proper behavior that task with "delegate_to: "localhost"" is trying to ssh "localhost" and not from the "localhost" (ansible master) to the remote's ssh port?
Playbook fails on:
"Timeout when waiting for localhost:2022"
Here example configuration I reproduce it with:
Inventory file:
[testremote]
192.168.170.113 ansible_user=ja
Ansible config file:
[defaults]
host_key_checking = False
inventory = hosts
callback_enabled = profile_tasks
ansible_port = 2022
Playbook file:
- hosts: testremote
gather_facts: false
vars:
desired_port: 2022
tasks:
- name: check if ssh is running on {{ desired_port }}
delegate_to: localhost
wait_for:
port: "{{ desired_port }}"
host: "{{ ansible_host }}"
timeout: 10
ignore_errors: true
register: desired_port_check
- when: desired_port_check is success
block:
- debug:
msg: "ssh is running on desired port"
- name: configure ansible to use port {{ desired_port }}
set_fact:
ansible_port: "{{ desired_port }}"
- name: run a command on the target host
command: uptime
register: uptime
- debug:
msg: "{{ uptime.stdout }}"
Remote host is accessible on desired port already:
[ansible]$ ssh -p 2022 ja#testremote date
Sun Jun 20 16:40:36 CEST 2021
[ansible]$ ping testremote
PING testremote (192.168.170.113) 56(84) bytes of data.
64 bytes from testremote (192.168.170.113): icmp_seq=1 ttl=63 time=1.14 ms
And result when playbook is run:
[ansible]$ ansible-playbook test_playbook.yml
PLAY [testremote] **********************************************************************************************************************************************************
TASK [check if ssh is running on 2022] *************************************************************************************************************************************
fatal: [192.168.170.113 -> localhost]: FAILED! => {"changed": false, "elapsed": 10, "msg": "Timeout when waiting for localhost:2022"}
...ignoring
TASK [debug] ***************************************************************************************************************************************************************
skipping: [192.168.170.113]
TASK [configure ansible to use port 2022] **********************************************************************************************************************************
skipping: [192.168.170.113]
TASK [run a command on the target host] ************************************************************************************************************************************
fatal: [192.168.170.113]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: ssh: connect to host 192.168.170.113 port 22: Connection refused", "unreachable": true}
PLAY RECAP *****************************************************************************************************************************************************************
192.168.170.113 : ok=1 changed=0 unreachable=1 failed=0 skipped=2 rescued=0 ignored=1
I'm trying to create a task to download and import the GPG-keys from the official RPM Fusion site but it fails.
- hosts: localhost
connection: local
name: DOWNLOADING AND IMPORTING SECURITY KEYS
tasks:
- name: Downloading the security key for RPM Fusion (free) repo
get_url:
url: https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-free-fedora-2020
dest: ~/Downloads/free_keys.txt
- name: Importing (free) key
ansible.builtin.rpm_key:
state: present
key: ~/Downloads/free_keys.txt
- name: Deleting security key file (free)
ansible.builtin.file:
path: ~/Downloads/free_keys.txt
state: absent
- name: Downloading the security key for RPM Fusion (non-free) repo
get_url:
url: https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-nonfree-fedora-2020
dest: ~/Downloads/nonfree_keys.txt
- name: Importing (non-free) key
ansible.builtin.rpm_key:
state: present
key: ~/Downloads/nonfree_keys.txt
- name: Deleting security key file (non-free)
ansible.builtin.file:
path: ~/Downloads/nonfree_keys.txt
state: absent
This is the output:
TASK [Gathering Facts] *********************************************************
ok: [localhost]
TASK [Downloading the security key for RPM Fusion (free) repo] *****************
changed: [localhost] => {"changed": true, "checksum_dest": null, "checksum_src": "554f50b16f9cf421f7caf02ce83c9069fd399b0e", "dest": "/home/[REDACTED]/Downloads/free_keys.txt", "elapsed": 0, "gid": 1000, "group": "[REDACTED]", "md5sum": "7206830528e4e9fb61d52dafc4e32ed1", "mode": "0664", "msg": "OK (1704 bytes)", "owner": "[REDACTED]", "secontext": "unconfined_u:object_r:user_home_t:s0", "size": 1704, "src": "/home/[REDACTED]/.ansible/tmp/ansible-tmp-1623521488.9204922-9892-237385967611488/tmp38djamsm", "state": "file", "status_code": 200, "uid": 1000, "url": "https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-free-fedora-2020"}
TASK [Importing (free) key] ****************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Not a valid key ~/Downloads/free_keys.txt"}
PLAY RECAP *********************************************************************
localhost : ok=2 changed=1 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
So far I've tried to download the keys to .txt and .gpg format but none of these methods work. Any suggestion is greatly appreciated.
EDIT: To answer your questions:
1.
TASK [Importing (free) key] ****************************************************
task path: /home/[REDACTED]/Documents/ansible-playbooks/for_laptops/dell_e7270/import_keys.yml:11
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: [REDACTED]
<127.0.0.1> EXEC /bin/sh -c 'echo ~[REDACTED] && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/[REDACTED]/.ansible/tmp `"&& mkdir "` echo /home/[REDACTED]/.ansible/tmp/ansible-tmp-1623533463.7691412-3758-92960382692038 `" && echo ansible-tmp-1623533463.7691412-3758-92960382692038="` echo /home/[REDACTED]/.ansible/tmp/ansible-tmp-1623533463.7691412-3758-92960382692038 `" ) && sleep 0'
Using module file /usr/lib/python3.9/site-packages/ansible/modules/packaging/os/rpm_key.py
<127.0.0.1> PUT /home/[REDACTED]/.ansible/tmp/ansible-local-3682vs8hkmey/tmpjamn9upp TO /home/[REDACTED]/.ansible/tmp/ansible-tmp-1623533463.7691412-3758-92960382692038/AnsiballZ_rpm_key.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/[REDACTED]/.ansible/tmp/ansible-tmp-1623533463.7691412-3758-92960382692038/ /home/[REDACTED]/.ansible/tmp/ansible-tmp-1623533463.7691412-3758-92960382692038/AnsiballZ_rpm_key.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/bin/python3 /home/[REDACTED]/.ansible/tmp/ansible-tmp-1623533463.7691412-3758-92960382692038/AnsiballZ_rpm_key.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /home/[REDACTED]/.ansible/tmp/ansible-tmp-1623533463.7691412-3758-92960382692038/ > /dev/null 2>&1 && sleep 0'
fatal: [localhost]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"fingerprint": null,
"key": "~/Downloads/free_keys",
"state": "present",
"validate_certs": true
}
},
"msg": "Not a valid key ~/Downloads/free_keys"
}
The keys are the ones under 'Fedora 34' in this link.
Yes, the keys downloaded look like that.
Unfortunately, changing the permissions did not work.
Looks like a solution could be to download the distribution-gpg-keys from the official repos before installing the RPM Fusion.
Try to start ansible with very verbose logging
/bin/ansible-playbook import_gpg.yml -vvvv
As far as i know, its 2021 year now, and judging by URL (https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-nonfree-fedora-2020), key seems to be issued for 2020 year.
I think you have downloaded and tried to import expired key.
Can you verify you downloaded file that looks like GPG key?
Something, that looks like this:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF2tvGQBEAC5Q2ePLZZafOkFhYHpGZdRRBCcCd+aiLATofFV8+FjPuPLL/3R
......
kgQgWZ6F2RZm5/R28DHdAetji50XbnmXgAk/u9u2Hw2bVVJfJ0WpEVcPvA1L86SE
8i8p1fmzljwRazZAksk5Zh2QfaM0jlMYHWbKpbXQcX19Uerm7D9IkciZvDAmgBYV
S6Y=
=rOqq
-----END PGP PUBLIC KEY BLOCK-----
Probably, they use cloudflare, that blocks default ansible user agent - https://docs.ansible.com/ansible/latest/collections/ansible/builtin/get_url_module.html#parameter-http_agent). You can set user agent to browser one.
Or, you can set proper permissions for file being saved to disk
- name: Downloading the security key for RPM Fusion (non-free) repo
get_url:
url: https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-nonfree-fedora-2020
dest: ~/Downloads/nonfree_keys.txt
mode: 0600
Because RPM cannot import keys from world writeable files.
After some digging I found the solution and it's simpler than I thought:
---
- hosts: localhost
connection: local
name: IMPORTING SECURITY KEYS
tasks:
- name: Importing (free) key
ansible.builtin.rpm_key:
state: present
key: https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-free-fedora-2020
- name: Importing (non-free) key
ansible.builtin.rpm_key:
state: present
key: https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-nonfree-fedora-2020
Following the official documentation, I thought you had to download the keys to your PC and then install them. Instead, you can directly enter the URL into the key section.
I've got a simple ansible playbook that works fine on most ios devices. It fails on some of my 3850 switches with what looks like a timeout when doing a "show conf". How do I specify a longer, non-default timeout for command completion with the ios_command module (and presumably also ios_config)?
Useful details:
Playbook:
---
- hosts: ios_devices
gather_facts: no
connection: local
tasks:
- name: OBTAIN LOGIN CREDENTIALS
include_vars: secrets.yaml
- name: DEFINE PROVIDER
set_fact:
provider:
host: "{{ inventory_hostname }}"
username: "{{ creds['username'] }}"
password: "{{ creds['password'] }}"
- name: LIST NAME SERVERS
ios_command:
provider: "{{ provider }}"
commands: "show run | inc name-server"
register: dns_servers
- debug: var=dns_servers.stdout_lines
successful run:
$ ansible-playbook listnameserver.yaml -i inventory/onehost
PLAY [ios_devices] *****************************************************************************************************************
TASK [OBTAIN LOGIN CREDENTIALS] ****************************************************************************************************
ok: [iosdevice1.example.com]
TASK [DEFINE PROVIDER] *************************************************************************************************************
ok: [iosdevice1.example.com]
TASK [LIST NAME SERVERS] ***********************************************************************************************************
ok: [iosdevice1.example.com]
TASK [debug] ***********************************************************************************************************************
ok: [iosdevice1.example.com] => {
"dns_servers.stdout_lines": [
[
"ip name-server 10.1.1.166",
"ip name-server 10.1.1.168"
]
]
}
PLAY RECAP *************************************************************************************************************************
iosdevice1.example.com : ok=4 changed=0 unreachable=0 failed=0
unsuccessful run:
$ ansible-playbook listnameserver.yaml -i inventory/onehost
PLAY [ios_devices] *****************************************************************************************************************
TASK [OBTAIN LOGIN CREDENTIALS] ****************************************************************************************************
ok: [iosdevice2.example.com]
TASK [DEFINE PROVIDER] *************************************************************************************************************
ok: [iosdevice2.example.com]
TASK [LIST NAME SERVERS] ***********************************************************************************************************
fatal: [iosdevice2.example.com]: FAILED! => {"changed": false, "msg": "timeout trying to send command: show run | inc name-server", "rc": 1}
to retry, use: --limit #/home/sample/ansible-playbooks/listnameserver.retry
PLAY RECAP *************************************************************************************************************************
iosdevice2.example.com : ok=2 changed=0 unreachable=0 failed=1
The default timeout is 10 seconds if the request takes longer than this ios_command will fail.
You can add the timeout as a key in the provider variable, like this:
- name: DEFINE PROVIDER
set_fact:
provider:
host: "{{ inventory_hostname }}"
username: "{{ creds['username'] }}"
password: "{{ creds['password'] }}"
timeout: 30
If you've already got a timeout value in provider here's a handy way to update only that key in the variable.
- name: Update existing provider timeout key
set_fact:
provider: "{{ provider | combine( {'timeout': '180'} ) }}"
I have the following playbook example.yml:
- hosts: all
remote_user: administrator
become: yes
tasks:
- name: Put resolv.conf
template:
src: /home/user/resolv.conf.j2
dest: /etc/resolv.conf
backup: yes
mode: 0644
when: variable_name == "string"
The purpose is to update the resolv.conf by a customized one.
For executing it I am running:
ansible-playbook example.yml -k -u administrator --become --ask-become-pass --limit server_name -e variable_name='string'
However I get the following error:
SSH password:
SUDO password[defaults to SSH password]:
PLAY [all] *********************************************************************
TASK [setup] *******************************************************************
ok: [server_name]
TASK [Put resolv.conf] *******************************************************
fatal: [server_name]: FAILED! => {"changed": true, "failed": true, "msg": "unsupported parameter for module: when"}
to retry, use: --limit #/home/user/playbooks/example.retry
PLAY RECAP *********************************************************************
server_name : ok=1 changed=0 unreachable=0 failed=1
I have tried with different syntax by applying "()" to the variable, change between double and single commas, etc. But always the same error.
If I don't use both, variable and when condition, the task is succesfully completed.
Where is the problem?
Mind the padding!
- hosts: all
remote_user: administrator
become: yes
tasks:
- name: Put resolv.conf
template:
src: /home/user/resolv.conf.j2
dest: /etc/resolv.conf
backup: yes
mode: 0644
when: variable_name == "string"
when is a task property, not template's parameter.