Using playbook|command line|included vars in inventory vars
864 views
Skip to first unread message
Brice Burgess
Oct 14, 2013, 5:47:51 PM10/14/13
to ansible...@googlegroups.com
I have a situation where it would be helpful to utilize included/playbook variables within inventory variables. For instance;
[ group_vars/lab.yml ]
---
# Inventory variables
ansible_ssh_private_key_file: "{{ repo_keys_dir }}/lab-server+{{ remote_user }}.key"
[application_prepare.yml]
---
##
# Application Preparation Playbook.
# - typically executed via applications/prepare.sh
# - standalone example usage:
# repo_home$ ansible-playbook -i hosts/lab.inventory application_prepare.yml --extra-vars="host_group=irc namespace=blubot git_branch=master"
##
- name: "prepare application {{ namespace }}"
hosts: "{{ host_group }}"
remote_user: "root"
... etc.
So that if I executed this on a host in the "lab" group, it would use
"/path/to/keys/lab-server+root.key" as ansible_ssh_private_key_file
Admittedly I've only tried the jinja2 syntax in my inventory vars file; but it does not seem to substitute (my guess is that inventory vars are calculated first and can only be overridden by later variable definitions).
So; are any variables available to be used when defining inventory variables?
Many thanks!
~ Brice
[ group_vars/lab.yml ]
---
# Inventory variables
ansible_ssh_private_key_file: "{{ repo_keys_dir }}/lab-server+{{ remote_user }}.key"
[application_prepare.yml]
---
##
# Application Preparation Playbook.
# - typically executed via applications/prepare.sh
# - standalone example usage:
# repo_home$ ansible-playbook -i hosts/lab.inventory application_prepare.yml --extra-vars="host_group=irc namespace=blubot git_branch=master"
##
- name: "prepare application {{ namespace }}"
hosts: "{{ host_group }}"
remote_user: "root"
... etc.
So that if I executed this on a host in the "lab" group, it would use
"/path/to/keys/lab-server+root.key" as ansible_ssh_private_key_file
Admittedly I've only tried the jinja2 syntax in my inventory vars file; but it does not seem to substitute (my guess is that inventory vars are calculated first and can only be overridden by later variable definitions).
So; are any variables available to be used when defining inventory variables?
Many thanks!
~ Brice
Michael DeHaan
Oct 14, 2013, 6:44:59 PM10/14/13
to ansible...@googlegroups.com
Variables are late bound, but I'm curious how you are deciding that it's not substituting.
name lines don't show things in inventory scope as they differ between hosts.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Brice Burgess
Oct 15, 2013, 12:07:13 AM10/15/13
to ansible...@googlegroups.com
Michael,
My version of ansible is -master (currently 1.4). I realized it wasn't substituting by testing with and without the variable. So for instance;
[ group_vars/lab.yml ]
---
ansible_ssh_private_key_file: "/keys/path/lab-server+root.key"
[application.yml]
---
My version of ansible is -master (currently 1.4). I realized it wasn't substituting by testing with and without the variable. So for instance;
[ group_vars/lab.yml ]
---
ansible_ssh_private_key_file: "/keys/path/lab-server+root.key"
[application.yml]
---
- name: "prepare application {{ namespace }}"
hosts: "lab"
remote_user: "root"
Will *work* (e.g. the play connects to host(s) in the lab group && runs tasks remotely).
If I keep the same playbook with remote_user defined as "root", and use the remote_user variable in the inventory file as:
[ group_vars/lab.yml ]
---
ansible_ssh_private_key_file: "/keys/path/lab-server+{{ remote_user }}.key"
It will fail to connect w/ an ssh error.
OF NOTE: If testing ansible_ssh_private_key I recommend testing variable substitution first; and/or test against a different host each time. Tthe ssh connection key was seemingly cached per host; so if you test with the hardcoded key file first, and it works, and then later change to using a variable; it may still work.
My workaround is to always connect as the root user for application deployment/preparation, and then pass sudo: yes, sudo_user: <restricted_application_user> to included *deployment* tasks. This encouraged the use of tags [prepare, deploy] and a single application playbook file, which feels more "ansibley". Now I hope my other team members find it understandable! :)
~ Brice
remote_user: "root"
Will *work* (e.g. the play connects to host(s) in the lab group && runs tasks remotely).
If I keep the same playbook with remote_user defined as "root", and use the remote_user variable in the inventory file as:
[ group_vars/lab.yml ]
---
ansible_ssh_private_key_file: "/keys/path/lab-server+{{ remote_user }}.key"
It will fail to connect w/ an ssh error.
OF NOTE: If testing ansible_ssh_private_key I recommend testing variable substitution first; and/or test against a different host each time. Tthe ssh connection key was seemingly cached per host; so if you test with the hardcoded key file first, and it works, and then later change to using a variable; it may still work.
My workaround is to always connect as the root user for application deployment/preparation, and then pass sudo: yes, sudo_user: <restricted_application_user> to included *deployment* tasks. This encouraged the use of tags [prepare, deploy] and a single application playbook file, which feels more "ansibley". Now I hope my other team members find it understandable! :)
~ Brice
Michael DeHaan
Oct 15, 2013, 9:54:53 AM10/15/13
to ansible...@googlegroups.com
I don't know where you expect remote_user to be coming from.
Did you mean "ansible_ssh_user" ?
Also did you want a literal "+" in the filename?
In any event, 'ansible_ssh_user' is basically an input variable based on who you connect to, and I wouldn't expect you could use it there.
It would not make sense to put that in inventory because you might connect as a variety of users.
Brice Burgess
Oct 15, 2013, 12:52:52 PM10/15/13
to ansible...@googlegroups.com
Michael,
remote_user was a bad example. I am really trying to substitute an INCLUDED or PLAYBOOK variable inside of an inventory variable. Here's a better example:
[group_vars/lab.yml]
---
ansible_ssh_private_key_file: "{{ repo_keys_dir }}/lab-server+root.key"
[playbook.yml]
---
- name: "application example"
hosts: "{{ host_group }}"
remote_user: "root"
vars:
repo_keys_dir: "/home/nesta/git/SysOps/infrastructure/keys"
tasks:
...
[command]
nesta@cicayda:~/git/SysOps/automation$ ansible-playbook -vvvv -i hosts/lab.inventory playbook.yml --extra-vars="host_group=lab.memcached.cicayda.net namespace=test_app"
[output]
...
debug3: authmethod_lookup publickey
debug3: remaining preferred: ,gssapi-keyex,hostbased,publickey
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: {{repo_keys_dir}}/lab-server+root.key
debug3: no such identity: {{repo_keys_dir}}/lab-server+root.key
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,password).
Now if I hardcode the path to the keys directory it works. Thankfully I worked around this using a relative path to the playbook.. and could probably use ansible.cfg for this [although we don't distribute that yet].
Re: using a literal + in the filename; this is our practice. Our keys look like;
[server_role]+[user].key
e.g.
ec2-server+root.key
lab-server+datomic.key
etc.
Thanks!
~ Brice
remote_user was a bad example. I am really trying to substitute an INCLUDED or PLAYBOOK variable inside of an inventory variable. Here's a better example:
[group_vars/lab.yml]
---
ansible_ssh_private_key_file: "{{ repo_keys_dir }}/lab-server+root.key"
[playbook.yml]
---
- name: "application example"
hosts: "{{ host_group }}"
remote_user: "root"
vars:
repo_keys_dir: "/home/nesta/git/SysOps/infrastructure/keys"
tasks:
...
[command]
nesta@cicayda:~/git/SysOps/automation$ ansible-playbook -vvvv -i hosts/lab.inventory playbook.yml --extra-vars="host_group=lab.memcached.cicayda.net namespace=test_app"
[output]
...
debug3: authmethod_lookup publickey
debug3: remaining preferred: ,gssapi-keyex,hostbased,publickey
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: {{repo_keys_dir}}/lab-server+root.key
debug3: no such identity: {{repo_keys_dir}}/lab-server+root.key
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,password).
Now if I hardcode the path to the keys directory it works. Thankfully I worked around this using a relative path to the playbook.. and could probably use ansible.cfg for this [although we don't distribute that yet].
Re: using a literal + in the filename; this is our practice. Our keys look like;
[server_role]+[user].key
e.g.
ec2-server+root.key
lab-server+datomic.key
etc.
Thanks!
~ Brice
Michael DeHaan
Oct 15, 2013, 7:31:25 PM10/15/13
to ansible...@googlegroups.com
Please open a github ticket with a linked gist or playbook that reproduces this in hello-world kind of form and I can see if I can reproduce this.
Thanks!
Reply all
Reply to author
Forward
0 new messages