trigger --ask-become-pass with playbook variable?
Dick Visser
Stuart Lowe
Better to use ssh keys or store the details in ansible vault or something but if you need to prompt for the password you could potentially use vars_prompt: ?
something like
- hosts: all
become: yes
vars_prompt:
- name: ansible_become_pass
prompt: "Enter sudo password"
private: yes
tasks:
- name: Install a package
ansible.builtin.yum:
name: vim
state: present
From: ansible...@googlegroups.com <ansible...@googlegroups.com>
On Behalf Of Dick Visser
Sent: Wednesday, February 21, 2024 9:53 AM
To: ansible...@googlegroups.com
Subject: [ansible-project] trigger --ask-become-pass with playbook variable?
|
Caution: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe |
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ansible-proje...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAF8BbLZ4UY0tmtTXn%3DWHpLKf2icaRiGYPr7SmHqk0AsEGD53oQ%40mail.gmail.com.
Stuart Lowe He/Him
Zen Cloud Engineering - Team Leader
Zen Internet
Team: 01706 902009
www.zen.co.uk
Proud to be a certified B Corporation
This message is private and confidential. If you have received this message in error, please notify us and remove it from your system.
Zen Internet Limited may monitor email traffic data to manage billing, to handle customer enquiries, and for the prevention and detection of fraud. We may also monitor the content of emails sent to and/or
from Zen Internet Limited for the purposes of security, staff training and to monitor the quality of service.
Zen Internet Limited is registered in England and Wales, Sandbrook Park, Sandbrook Way, Rochdale, OL11 1RY Company No. 03101568 VAT Reg No. 686 0495 01
Dick Visser
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/PA4PR01MB8994AFFF4F775456FE7BE457A8572%40PA4PR01MB8994.eurprd01.prod.exchangelabs.com.
Evan Hisey
--
Dick Visser
Why not use the "-K" when launching ansible-playbook? That will trigger prompting fo the sudo password securely.
Evan Hisey
https://eengstrom.github.io/musings/ansible-sudo-var
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAF8BbLZyVuMviqx-Ba4erXvshW%3Dm2ydmqbvtV%2BXUDPehRcbwrQ%40mail.gmail.com.
Stuart Lowe
The private: yes, should prevent it from being logged etc if I’m reading the documentation correctly.
e.g.
- hosts: all
become: yes
vars_prompt:
- name: ansible_become_pass
prompt: "Enter sudo password"
private: yes
tasks:
- name: Install a package
ansible.builtin.yum:
name: vim
state: present
however,
Have you looked into host_vars?
I tend to refer to hosts with a friendly name, as often we don’t have fqdn’s or connect via a dirrectent IP to what DNS would point to etc.
something like
ansible_project/
│
├── playbook.yml
│
├── inventory/
│ └── inventory.yml
│
└── host_vars/
├── webserver01/
│ ├── vars.yml # Plain text variables file
│ └── vault.yml # Ansible Vault encrypted variables file
│
├── webserver02/
│ ├── vars.yml # Plain text variables file
│ └── vault.yml # Ansible Vault encrypted variables file
│
├── sqlserver01/
│ ├── vars.yml # Plain text variables file
│ └── vault.yml # Ansible Vault encrypted variables file
│
└── sqlserver02/
├── vars.yml # Plain text variables file
└── vault.yml # Ansible Vault encrypted variables file
Example inventory
all:
children:
webservers:
hosts:
webserver01:
webserver02:
sqlservers:
hosts:
sqlserver01:
sqlserver02:
# Example content of host_vars/webserver01/vars.yml
ip: "192.168.1.101"
port: 22
username: "your_user"
ansible_become_pass: "{{ P_ansible_become_pass }}"
# Example content of host_vars/webserver01/vault.yml
P_ansible_become_pass: "your password here"
I like to reference encrypted vars in the non encrypted vars so I can get a view of all vars in one place without needing to de-crypt the vault file.
Hope that helps
Stu
From: ansible...@googlegroups.com <ansible...@googlegroups.com>
On Behalf Of Evan Hisey
Sent: Thursday, February 22, 2024 9:11 PM
To: ansible...@googlegroups.com
Subject: Re: [ansible-project] trigger --ask-become-pass with playbook variable?
|
You don't often get email from ehi...@gmail.com. Learn why this is important |
|
Caution: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe |
Potentially, as far as I can tell the workaround does nothing to stop a plaintext log of the password in memory. You might also consider using ansible Vault, and the ansible_become_password variable. This seems more inline with what you
need/want. Even allows for using different passwords in various points by changing the variable with set.
https://eengstrom.github.io/musings/ansible-sudo-var
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEcFzYzKS_1%3DJg%2BZB%2B7L5m3sFUh_w4BWOk_%3DieYdR%2BEDYW9%3DSw%40mail.gmail.com.