Geek Answers Handbook

In Ansible, is it possible to define an authentication method for each piece?

TL; DR: Is it possible to connect two pieces with one single play command, in which one playbook is the auth password and the other is the key auth? (see last section for real world purposes).

Setup:

I have two plays, the second of which include first.

PlaybookA.yml

 --- - name: PlaybookA # requires password authentication hosts: sub.domain.ext remote_user: root roles: - { role: role1, sudo: yes } ...

PlaybookB.yml

 --- - name: Run PlaybookA include: PlaybookA.yml - name: PlaybookB # requires ssh-key authentication hosts: sub.domain.ext remote_user: ansible roles: - { role: role2, sudo: yes } ...

Requirements:

  • Run only one command.
  • Use auth password for PlaybookA.
  • Use ssh-key auth for PlaybookB.

Question 1:

Is it possible in Ansible (version 1.9.4 or lower) to run one ansible-playbook command that will successfully launch PlaybookB using ssh key authentication, but when PlaybookB includes PlaybookA, start PlaybookA using password authentication?

Question 2:

If this is not possible with Ansible 1.9.4 or lower, is it possible with 2.0.0 +?

Notes:

  • Ansible provides --ask-pass (or -k ) as a command line switch that allows password authentication.
  • Ansible provides ask_pass as a variable, but it seems that it can only be set in ansible.cfg (I could not set this as a playbook variable for the desired effect).
  • Attempting to set ask_pass as an instruction in the ask_pass results in the following: ERROR: ask_pass is not a legal parameter of an Ansible Play . If this option is legal, it will provide you with a way to instruct at the level of each book which authentication method to use.

Purpose / Real World:

I am trying to create a configuration management workflow using Ansible that will be simple enough so that others at work can learn / adapt to it (and hopefully using Ansible in general for CM and orchestration).

For any new machine (VM or physical) to be built, I intend to immediately launch two boot books at once. PlaybookA (as shown above) is responsible for logging in with the correct user by default (this usually depends on the infrastructure [aws, vsphere, none, etc.]). Come in, very limited work:

  • Create a standardized user to be able to run it (and set its ssh key).
  • Remove any non-root users that may exist (vm infrastructure artifacts, etc.).
  • Disable root access.
  • Disable password authentication (only ssh key from this point).

Depending on the vm infrastructure (or lack thereof), the default user or default authentication method may be different. Regarding the goal of adopting Ansible, I am trying to make things extremely simple for fellow colleagues, so I would like to automate as much of this flow control as possible.

After PlaybookA has blocked vm and installed a standardized user, PlaybookB uses this standardized user to perform all other operations necessary to bring our vm to the necessary baseline of tools and utilities, etc.

Any advice, tips, suggestions are welcome.

+7
authentication passwords ssh-keys ansible ansible-playbook
source share
2 answers

Today I faced the same problem. Two ideas can help here: You can request a password using vars_prompt in your tutorial, not --ask-pass Set a password using set_fact:

 - name: "set password for the play" set_fact: ansible_ssh_pass="{{ my_pass }}"

You can save the password in a file or request it, as in the example below. In my example, the created sshd configuration forbids entering the password system, but when using unoccupied default values, you will be surprised that the second play will be performed (!), Although I forgot to create author_key. This is because ansible uses the ControlPersist options for ssh and simply maintains a connection between the individual tasks. You can disable this in the ansible.cfg file

Playbook example:

 - name: "MAKE BARE: Run preparatory steps on a newly acquired server" hosts: blankee tasks: - name: "set password for the play" set_fact: ansible_ssh_pass="{{ my_pass }}" - name: "Create directory {{ pathsts }}/registry/ansible-init" file: name="{{ pathsts }}/registry/ansible-init" state=directory owner=root group=www-data mode=770 - name: "copy sshd config file" copy: src: 'roles/newhost/files/sshd_config' dest: '/etc/ssh/sshd_config' owner: 'root' group: 'root' mode: '0644' - name: "Check syntax of sshd configuration" shell: sshd -t register: result changed_when: false failed_when: "result.rc != 0" - name: "Restart SSHD and enable Service to start at boot" service: name=sshd state=restarted changed_when: false vars: my_pass2: foobar vars_prompt: - name: "my_pass" prompt: "########## Enter PWD:\n " - name: "Second run: This should authenticate w/out password:" hosts: blankee tasks: - name: "Create directory {{ pathsts }}/registry/ansible-init" file: name="{{ pathsts }}/registry/ansible-init22" state=directory owner=root group=www-data mode=770
+5
source share

I do not know a way to change the authentication method in the game. I think I would prefer to use two different pieces as Jenkins' work or the like, but I can come up with a clean alternative to Ansible: instead of turning on the second piece, you might be able to run the shell command as a local action and run the command to execute the second piece from the first . Here's a rough proof of concept:

 --- - hosts: all vars_files: - vars.yml tasks: - debug: msg="Run your first role here." - name: Then call Ansible to run the second playbook. local_action: shell ansible-playbook -i ~/workspace/hosts ~/workspace/second_playbook.yml register: playbook_results - debug: var=playbook_results.stdout_lines

Here's the conclusion:

 GATHERING FACTS *************************************************************** ok: [vagrantbox] TASK: [debug msg="Run your first role here."] ********************************* ok: [vagrantbox] => { "msg": "Run your first role here." } TASK: [Then call Ansible to run the second playbook.] ************************* changed: [vagrantbox -> 127.0.0.1] TASK: [debug var=playbook_results.stdout_lines] ******************************* ok: [vagrantbox] => { "var": { "playbook_results.stdout_lines": [ "", "PLAY [Proof of concept] ******************************************************* ", "", "GATHERING FACTS *************************************************************** ", "ok: [vagrantbox]", "", "TASK: [debug msg=\"This playbook was called from another playbook!\"] *********** ", "ok: [vagrantbox] => {", " \"msg\": \"This playbook was called from another playbook!\"", "}", "", "PLAY RECAP ******************************************************************** ", "vagrantbox : ok=2 changed=0 unreachable=0 failed=0 " ] } } PLAY RECAP ******************************************************************** vagrantbox : ok=4 changed=1 unreachable=0 failed=0
0
source share

More articles:


All Articles