I'm currently learning how to use Ansible. Right now, I've got a bunch of servers, both new and legacy, that have different logins or passwords or both. All have key access to run the plays.
Here's what I started with. Example hosts file:
# legacy and new have different logins (like root and deploy)
[legacy]
serv1
serv2
[new]
serv3
serv4
# different has a different login and password altogether
[different]
serv5
So to keep things simple, I originally had a playbook run the equivalent of sudo apt-get update && sudo apt-get upgrade
on all the machines, but because of the different login/passwd, I had created multiple playbooks for each host. But now I want to DRY it out and am looking at Roles, per their docs.
Right now I have something like this. The test/roles/common/tasks/main.yml file:
---
- name: run apt-get update
apt: update_cache=yes
- name: run apt-get upgrade
apt: upgrade=yes
The site.yml file:
- name: apply common configuration to all nodes
hosts: all
roles:
- common
I understand that I can actually define the different logins with ansible_ssh_user=root
or ...=deploy
in my hosts file. Or put them in group vars. But what do I do about the different sudo passwords? [legacy]
is root so I don't need sudo
, but [new]
and [different]
need it, and have different passwords. How do I do this? Group vars? Do I create these: test/group_vars/new/some_file_with_a_passwd.yml and test/group_vars/different/some_other_passwd.yml (ignoring security issues)?
How does the site.yml recognize that there are hosts with different passwords or some hosts with no passwords?
Edit for clarity's sake: I have SSH access, so doing the 'pre-tasks' step during the play always work (I connect via key access and never via a password). I'm not worried about security as that's the next step. For now, I want to get the group_vars thing right....It's the sudo
escalation I have issues with. E.g. serv1 sudo might be root/password1, serv3 sudo: deploy/password2, serv5: anotherdeploy/password3
Using the --limit parameter of the ansible-playbook command is the easiest option to limit the execution of the code to only one host. The advantage is that you don't need to edit the Ansible Playbook code before executing to only one host.
If you have equal count of hosts in each group, you can use pattern + serial. Ansible forms host list by pattern moving through groups sequentially. So if you have equal count of hosts, then batches formed by serial will be equal to groups.
Running a Playbook with Data Encrypted via Ansible Vault If you used default options and the prompt password source when encrypting the data used in this playbook, you can use the option --ask-vault-pass to make Ansible prompt you for the password: ansible-playbook myplaybook. yml --ask-vault-pass.
Okay, you kind of have two questions here:
How to connect to different hosts with different SSH keys?
Create a different group_vars file for each set of hosts, and set the credentials in there.
# group_vars/legacy
---
ansible_ssh_user: myuser
ansible_ssh_key: ~/.ssh/legacy_key.pem
Then Ansible will apply a different key based on which group each host is in, simple as that.
How to use different credentials per host for privilege escalation?
Once more, stick them in different group_vars files for each set of hosts:
# group_vars/legacy
---
ansible_become_user: root
ansible_become_pass: "{{ vaulted_legacy_password }}"
Then you can use the keyword become: yes
to escalate privileges, and Ansible will apply the right credentials for each group. If you're already root, the become
keyword just won't have any effect.
And then... see that {{ vaulted_legacy_password }}
variable up there?
Best practice, and the only sensible thing to do if you are ever sharing this code, is to make an Ansible Vault file and keep your passwords in there. Ansible Vault password protects your sensitive variables and lets you decrypt them at the time of running.
You can either make your whole group_vars/legacy
file vaulted (if the credentials are the only information in it), or make a group_vars/legacy folder, with one plaintext file and one encrypted file in it. All files in a subdirectory of group_vars will be sourced and applied to the group with the name of the folder.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With