Re: [ansible-project] debconf with variable is not really idempotent?
Ok, I did not know about it. I confirm I only have this behavior with password fields. Thanks Le 16/07/2015 20:20, Brian Coca a écrit : passwords cannot be read, so they always appear as changed, this is a limitation of debconf itself. all other field types should work as you expect -- Brian Coca -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJ5XC8%3Dj2AQN%2B1Uj%2B7y3ZwrgP6r1YUHhVmNx7Ctg0aFH0LB3mQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/55A81723.2060703%40phyks.me. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] Error with playbook, which should create user accounts and set authorized public keys
Hi Brian, here's the info you asked for: TASK: [debug var=users] *** testvm1 ESTABLISH CONNECTION FOR USER: dimitar testvm2 ESTABLISH CONNECTION FOR USER: dimitar ok: [testvm1] = { var: { users: users } } ok: [testvm2] = { var: { users: users } } TASK: [create new users] ** fatal: [testvm2] = with_items expects a list or a set fatal: [testvm1] = with_items expects a list or a set FATAL: all hosts have already failed -- aborting Hope it helps :) Regards, Dimitar On Wednesday, July 15, 2015 at 6:59:46 PM UTC+3, Brian Coca wrote: that looks correct, very similar to what i was doing. can you run with - and also - debug: var=users ? -- Brian Coca -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c0a38d7e-c9d1-4833-be0c-8e61539b17fa%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] Importing custom python library from ansible custom module
Hello all, Is there a way to import a custom python library from an ansible custom module? I am trying to create a custom module and need a specific python library. I have put my inifile.py file in the library folder of my playbook. My ansible custom module is in the same folder. However, when using the import command (from inifile import IniFile) in the custom module, it cannot find the pyhton library: invalid output was: Traceback (most recent call last): File /home/olivier/.ansible/tmp/ansible-tmp-1437029018.2-53200658786921/file_ini_correct_options, line 92, in module from inifile import IniFile ImportError: No module named inifile Any way to do that? Regards, Olivier -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/f62e78a7-97e4-40df-94b6-87accc4014be%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] Re: win_unzip hanging
hi jon, unfortunately, nothing works to solve the problem... is there anything new on the domain access? because it would make things a lot easier for me (and the windows community)!!! Thanks Le mercredi 15 juillet 2015 14:53:36 UTC+1, J Hawkesworth a écrit : Hi Guillaume, A few things you could try. Run with -v to see if the module is being run. 2/ set ANSIBLE_KEEP_REMOTE_FILES=1 on your controller before running your playbook. This will then not delete the powershell scripts so you can log into the affected machine and run them directly in powershell 3/ check event log for errors. Hopefully you can find out what the problem is using the above. Jon On Wednesday, July 15, 2015 at 12:24:53 PM UTC+1, Guillaume Querso wrote: hi all, I am using ansible to unzip files on a windows 2008 R2 server. My playbook was working fine but for an unknown reason, the win_unzip module is now never ending. i am running ansible 1.9.2. Thank you for your help!! -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/624c0525-8486-48d4-af6b-7592515eeb54%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] Ansible copy module hangs on CentOS 7
Hi Guys, I have a playbook to copy DNS zone files from local directory to a remote one and restart the named service. The playbook is as follows: --- # This playbook upgrades zone data files from the control machine to all DNS servers 1 machine at a time - name: Upgrade zone data files. Reload named-chroot if required hosts: dnsservers gather_facts: no sudo: yes serial: 1 tasks: - name: copy dns zone files from control machine to DNS servers copy: src=zones/ dest=/var/named owner=root group=named mode=0440 register: namedzones - name: restart dns service if required service: name=named-chroot state=restarted when: namedzones.changed I test run the playbook as follows: ansible-playbook -vv dns-copy-zones.yml --ask-become-pass --check The output is: SUDO password: PLAY [Upgrade zone data files. Reload named-chroot if required] *** TASK: [copy dns zone files from control machine to DNS servers] *** fatal: [192.168.16.195] = ssh connection error while waiting for sudo password prompt FATAL: all hosts have already failed -- aborting PLAY RECAP to retry, use: --limit @/home/martin/dns-copy-zones.retry 192.168.16.195 : ok=0changed=0unreachable=1failed=0 When I increase the verbosity I can see 5-6 files are copied then copy hangs locally on transferring the next file and eventually times out. On the remote machine if I tail /var/log/secure I can see all the files up to the last one going through. The machine I run the playbook from and the destination machine are both CentOS 7. The version is ansible 1.9.2. Below is the more verbose output I have highlighted what I think are the important messages. I am only including the last file to go through successfully and the next one to hang (let me know if you require the full output): ON CONTROL MACHINE: 192.168.16.195 EXEC ssh -C -tt -v -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=/home/martin/.ansible/cp/ansible-ssh-%h-%p-%r -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 192.168.16.195 /bin/sh -c 'sudo -k sudo -H -S -p [sudo via ansible, key=zasgrvyvetzjqebxkfgjmaeohbealypu] password: -u root /bin/sh -c '''echo BECOME-SUCCESS-zasgrvyvetzjqebxkfgjmaeohbealypu; rc=flag; [ -r /var/named/named.empty ] || rc=2; [ -f /var/named/named.empty ] || rc=1; [ -d /var/named/named.empty ] rc=3; python -V 2/dev/null || rc=4; [ x$rc != xflag ] echo ${rc} /var/named/named.empty exit 0; (python -c 'import hashlib; BLOCKSIZE = 65536; hasher = hashlib.sha1(); afile = open('/var/named/named.empty', rb) buf = afile.read(BLOCKSIZE) while len(buf) 0: hasher.update(buf) buf = afile.read(BLOCKSIZE) afile.close() print(hasher.hexdigest())' 2/dev/null) || (python -c 'import sha; BLOCKSIZE = 65536; hasher = sha.sha(); afile = open('/var/named/named.empty', rb) buf = afile.read(BLOCKSIZE) while len(buf) 0: hasher.update(buf) buf = afile.read(BLOCKSIZE) afile.close() print(hasher.hexdigest())' 2/dev/null) || (echo '0 '/var/named/named.empty) 192.168.16.195 EXEC ssh -C -tt -v -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=/home/martin/.ansible/cp/ansible-ssh-%h-%p-%r -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 192.168.16.195 /bin/sh -c 'sudo -k sudo -H -S -p [sudo via ansible, key=bnbotucjqsepetntcsddztjuluwdvzam] password: -u root /bin/sh -c '''echo BECOME-SUCCESS-bnbotucjqsepetntcsddztjuluwdvzam; rc=flag; [ -r /var/named/named.localhost ] || rc=2; [ -f /var/named/named.localhost ] || rc=1; [ -d /var/named/named.localhost ] rc=3; python -V 2/dev/null || rc=4; [ x$rc != xflag ] echo ${rc} /var/named/named.localhost exit 0; (python -c 'import hashlib; BLOCKSIZE = 65536; hasher = hashlib.sha1(); afile = open('/var/named/named.localhost', rb) buf = afile.read(BLOCKSIZE) while len(buf) 0: hasher.update(buf) buf = afile.read(BLOCKSIZE) afile.close() print(hasher.hexdigest())' 2/dev/null) || (python -c 'import sha; BLOCKSIZE = 65536; hasher = sha.sha(); afile = open('/var/named/named.localhost', rb) buf = afile.read(BLOCKSIZE) while len(buf) 0: hasher.update(buf) buf = afile.read(BLOCKSIZE) afile.close() print(hasher.hexdigest())' 2/dev/null) || (echo '0 '/var/named/named.localhost) ON THE DESTINATION MACHINE (output in /var/log/secure): Jul 16 12:48:00 dominus sudo: martin : TTY=pts/2 ; PWD=/home/martin ;
[ansible-project] tags with roles
Hi All, I want to use tags inside the roles, here is my usecase: I want to execute tasks marked with from testrole: [root@wildfly ~/ansible]$ cat test.yml --- - hosts: local roles: - {role: testrole, tags: ['']} here is the role: [root@wildfly ~/ansible]$ cat roles/testrole/tasks/main.yml --- - name: tag local_action: command echo tags: - - name: tag local_action: command echo tags: - but both tasks are executed: [root@wildfly ~/ansible]$ ansible-playbook -i inventory.ini test.yml PLAY [local] ** GATHERING FACTS *** ok: [localhost] TASK: [testrole | tag] *** changed: [localhost - 127.0.0.1] TASK: [testrole | tag] *** changed: [localhost - 127.0.0.1] PLAY RECAP localhost : ok=3changed=2unreachable=0failed=0 Is this OK, or bug? Regards, Vlado -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0a285795-8acd-40a6-bb6b-1f0f4ccdcbb4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] ec2_vpc route_tables tags not created
Creating VPC using ec2_vpc module. Have a public net so adding a routing table: route_tables: [ { subnets: [10.0.0.0/24], routes: [ { dest: 0.0.0.0/0, gw: igw } ], resource_tags: { Name: way_out } } ], The route is created but it does not have any tags (it has empty Name tag which is always created by Amazon). There are no error messages. Similar resource_tags work fine for the vpc and subnets. Also tried to add another tag (in additon to Name) but that one didn't show up in the created route table either. Going by the docs at http://docs.ansible.com/ec2_vpc_module.html which say: A dictionary array of route tables to add of the form: { subnets: [172.22.2.0/24, 172.22.3.0/24,], routes: [{ dest: 0.0.0.0/0, gw: igw},], resource_tags: ... }. Any ideas what's going on? Thanks! erik -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a4805f9e-f695-4b5e-9cd4-0d6ddde26a00%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] Importing custom python library from ansible custom module
In a previous life I've had to do what you are attempting. Ansible will not automatically know to install dependencies like your custom library for you.That is up to you to handle. There are two ways I've gone about it resolving this: 1) Install said libraries in your default python library path on each remote box. 2) Copy/install your libraries to an alternate path location (could be one time could be an earlier task of the play) and use the environment argument on the task that uses your custom module to append said library path to PYTHONPATH. Not knowing what is in your infile.py, you may want to consider embedding that library in the module if it's a single library file that's not too complex. I didn't personally use this approach, though I considered it, in my own because the library files had other usage outside of my custom Ansible module and I didn't want to play around keeping the code in sync. Hope that helps. tim/ -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAOMCme63ZpWdD9nOzgBZvNKpW29zkAQUYwG8t8oSnMXYUb%3DOuw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] Importing custom python library from ansible custom module
I didn't give up at all. Far from it! I started working for Ansible. Last I spoke to my former co-workers they are still using options 2 that I setup because they do not have the ability to install python libraries in the default library path. tim/ On Thu, Jul 16, 2015 at 10:14 AM, Martin mar...@marcher.name wrote: Hi, On Thu, Jul 16, 2015 at 4:05 PM Timothy Appnel t...@ansible.com wrote: In a previous life I've had to do what you are attempting. So what do you do now? It sound like you went on and are using a completely different approach to achieve what the op wants to do (load custom code) I'm not asking about options but rather what you actually ended up with doing (give up and/or stopped using the tool are viable answers to me) /Martin -- -- http://www.xing.com/profile/Martin_Marcher http://www.linkedin.com/in/martinmarcher Mobil: +43 / 660 / 62 45 103 UID: ATU68801424 -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAK1mKEQxjUW0kB9Yb426THm8HZCMOy%3DbdbCzztjARScFrYsKzQ%40mail.gmail.com https://groups.google.com/d/msgid/ansible-project/CAK1mKEQxjUW0kB9Yb426THm8HZCMOy%3DbdbCzztjARScFrYsKzQ%40mail.gmail.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAOMCme7JjHtUYE%3D4DRSyCd1tsEL19w0-1BRSnunD9xHbfc-8EQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] Importing custom python library from ansible custom module
Hi, On Thu, Jul 16, 2015 at 4:05 PM Timothy Appnel t...@ansible.com wrote: In a previous life I've had to do what you are attempting. So what do you do now? It sound like you went on and are using a completely different approach to achieve what the op wants to do (load custom code) I'm not asking about options but rather what you actually ended up with doing (give up and/or stopped using the tool are viable answers to me) /Martin -- -- http://www.xing.com/profile/Martin_Marcher http://www.linkedin.com/in/martinmarcher Mobil: +43 / 660 / 62 45 103 UID: ATU68801424 -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAK1mKEQxjUW0kB9Yb426THm8HZCMOy%3DbdbCzztjARScFrYsKzQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] how to set up kerberos
hi all! I am currently using ansible 1.9.2 on a RHEL 6 server. what I would like is to connect to a windows 2008 R2 server via kerberos to be able to use domain accounts. - What i did: creating a ticket on the linux server for the concerned domain account. Synchronized the clocks. - What it is not working: i have a: 401 unauthorized access when i try to run a playbook. Do you know what i am missing? Thanks for your help on this! Guillaume Q -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/38f7125f-0d55-42be-b964-03b948075e4b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] Error creating RDS instance
I'm getting the following in a playbook a task to create an RDS instance runs: msg: failed to create instance: null This task worked fine yesterday, today I made a minor change to the VPC task (below) by adding another app subnet and specifying availability zones for the 2 app subnets, but this should have no effect on the RDS task. The RDS task itself hasn't been changed. - name: provision white label vpc ec2_vpc: state: present cidr_block: 10.{{ wl_vpc_prefix }}.0.0/16 resource_tags: { Name: {{ wl_name }}-bbe-vpc } region: us-west-1 subnets: - cidr: 10.{{ wl_vpc_prefix }}.1.0/24 resource_tags: { Name: {{ wl_name }}-bbe-public } - cidr: 10.{{ wl_vpc_prefix }}.2.0/24 az: us-west-1a resource_tags: { Name: {{ wl_name }}-bbe-app } - cidr: 10.{{ wl_vpc_prefix }}.3.0/24 az: us-west-1b resource_tags: { Name: {{ wl_name }}-bbe-app } - cidr: 10.{{ wl_vpc_prefix }}.4.0/24 resource_tags: { Name: {{ wl_name }}-bbe-mgmt } - cidr: 10.{{ wl_vpc_prefix }}.5.0/24 az: us-west-1a resource_tags: { Name: {{ wl_name }}-bbe-db } - cidr: 10.{{ wl_vpc_prefix }}.6.0/24 az: us-west-1b resource_tags: { Name: {{ wl_name }}-bbe-db } internet_gateway: True route_tables: - subnets: - 10.{{ wl_vpc_prefix }}.1.0/24 routes: - dest: 0.0.0.0/0 gw: igw register: vpc Does anyone have any idea what the problem is here? Thanks, Guy -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8777df80-2b42-4d7f-826d-b90f5b06366c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] debconf with variable is not really idempotent?
Hi, I am using the following line in an Ansible playbook: ``` debconf: name={{ item.name }} question={{ item.question }} vtype={{ item.vtype }} value={{ item.value }} with_items: - { name: mariadb-server-10.0, question: mysql-server/root_password, vtype: password, value: {{mysql_root_password}}} - { name: mariadb-server-10.0, question: mysql-server/root_password_again, vtype: password, value: {{mysql_root_password}}} ``` But the task is marked as changed at every execution. I would expect it to be changed only if the values are different than the previous ones and skipped otherwise. Moreover, when the value is explicitly given (instead of referencing a variable), the behaviour is as expected and the task is skipped if it was already set. Is it a bug or an expected feature? Thanks! -- Phyks -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/55A7F339.2090400%40phyks.me. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] Re: Error with playbook, which should create user accounts and set authorized public keys
your debug is indicative that 'users' is undefined, that is why it is failing (we made the message much clearer in 2.0) -- Brian Coca -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJ5XC8ntzCSOrg--yrqfJ%3DbMThT-peL10X9OpePGFb8Zz48ieQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] Importing custom python library from ansible custom module
Hi Tim, Thank you very much for the update. It helps a lot, thank you very much. Indeed, I have chosen your second option as it is easier to maintain and avoid any conflict with other systems. The inifile.py is too big to be included in the custom module but I would not do this as I wouldn't be able to re-utilise it. Here is how I did it: In my playbook or role: tasks: - name: Upload python module copy: src=library/inifile.py dest=/tmp/inifile.py In my custom module: import sys sys.path.append('/tmp') from inifile import IniFile And to answer your question, what I am trying to achieve here is an extension to the ini_file module in Ansible. The current module doesn't answer my needs such as: - setting easily a continious list of options such as: - whitelist.0 = item1 - whitelist.1 = item2 - whitelist.2 = item3 - checking and replacing a list of options (such as [ower, owne]) by one option name (owner) - Dealing with options that doesn't have section (generally mean that this is default to all sections) - Dealing with empty name section ([]) and comments - this one I am less sure about but I know that the ConfigParser cannot handle this. Thank you again for your precious help. Regards, Olivier On Thursday, 16 July 2015 15:20:03 UTC+1, Timothy Appnel wrote: I didn't give up at all. Far from it! I started working for Ansible. Last I spoke to my former co-workers they are still using options 2 that I setup because they do not have the ability to install python libraries in the default library path. tim/ On Thu, Jul 16, 2015 at 10:14 AM, Martin mar...@marcher.name javascript: wrote: Hi, On Thu, Jul 16, 2015 at 4:05 PM Timothy Appnel ti...@ansible.com javascript: wrote: In a previous life I've had to do what you are attempting. So what do you do now? It sound like you went on and are using a completely different approach to achieve what the op wants to do (load custom code) I'm not asking about options but rather what you actually ended up with doing (give up and/or stopped using the tool are viable answers to me) /Martin -- -- http://www.xing.com/profile/Martin_Marcher http://www.linkedin.com/in/martinmarcher Mobil: +43 / 660 / 62 45 103 UID: ATU68801424 -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com javascript:. To post to this group, send email to ansible...@googlegroups.com javascript:. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAK1mKEQxjUW0kB9Yb426THm8HZCMOy%3DbdbCzztjARScFrYsKzQ%40mail.gmail.com https://groups.google.com/d/msgid/ansible-project/CAK1mKEQxjUW0kB9Yb426THm8HZCMOy%3DbdbCzztjARScFrYsKzQ%40mail.gmail.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a7ac54d2-e808-4c46-855e-5f3326b5b069%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] debconf with variable is not really idempotent?
Is there any way to work around that? -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5d0ad0ce-5504-4b1a-a68a-ce3f077228ff%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] Importing custom python library from ansible custom module
I'm glad you were able to work something out and I was helpful. A couple of quick added thoughts on this. I wouldn't recommend just dropping your library in to just /tmp to avoid a potential conflict with another job or process. Perhaps create a separate directory like the name of your project or playbook under tmp and store it there? I think create a specific directory helps avoid this. I also wouldn't recommend embedding a library path in your custom module for maintainability. It's working for you now, but the thought of having to have that path line up in two different places make me uneasy. I used the environment arg and appended the path to our libraries to PYTHONPATH. Everything is in one place: the playbook. A var to hold the path (you can use Ansible facts to really create a unique path that won't get tread on), the path create, the copy, the environment setting. Change it in one place and the change probates thru. Just some food for thought. tim/ On Thu, Jul 16, 2015 at 3:30 PM, Olivier Lauret olivier.lau...@googlemail.com wrote: Hi Tim, Thank you very much for the update. It helps a lot, thank you very much. Indeed, I have chosen your second option as it is easier to maintain and avoid any conflict with other systems. The inifile.py is too big to be included in the custom module but I would not do this as I wouldn't be able to re-utilise it. Here is how I did it: In my playbook or role: tasks: - name: Upload python module copy: src=library/inifile.py dest=/tmp/inifile.py In my custom module: import sys sys.path.append('/tmp') from inifile import IniFile And to answer your question, what I am trying to achieve here is an extension to the ini_file module in Ansible. The current module doesn't answer my needs such as: - setting easily a continious list of options such as: - whitelist.0 = item1 - whitelist.1 = item2 - whitelist.2 = item3 - checking and replacing a list of options (such as [ower, owne]) by one option name (owner) - Dealing with options that doesn't have section (generally mean that this is default to all sections) - Dealing with empty name section ([]) and comments - this one I am less sure about but I know that the ConfigParser cannot handle this. Thank you again for your precious help. Regards, Olivier On Thursday, 16 July 2015 15:20:03 UTC+1, Timothy Appnel wrote: I didn't give up at all. Far from it! I started working for Ansible. Last I spoke to my former co-workers they are still using options 2 that I setup because they do not have the ability to install python libraries in the default library path. tim/ On Thu, Jul 16, 2015 at 10:14 AM, Martin mar...@marcher.name wrote: Hi, On Thu, Jul 16, 2015 at 4:05 PM Timothy Appnel ti...@ansible.com wrote: In a previous life I've had to do what you are attempting. So what do you do now? It sound like you went on and are using a completely different approach to achieve what the op wants to do (load custom code) I'm not asking about options but rather what you actually ended up with doing (give up and/or stopped using the tool are viable answers to me) /Martin -- -- http://www.xing.com/profile/Martin_Marcher http://www.linkedin.com/in/martinmarcher Mobil: +43 / 660 / 62 45 103 UID: ATU68801424 -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com. To post to this group, send email to ansible...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAK1mKEQxjUW0kB9Yb426THm8HZCMOy%3DbdbCzztjARScFrYsKzQ%40mail.gmail.com https://groups.google.com/d/msgid/ansible-project/CAK1mKEQxjUW0kB9Yb426THm8HZCMOy%3DbdbCzztjARScFrYsKzQ%40mail.gmail.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a7ac54d2-e808-4c46-855e-5f3326b5b069%40googlegroups.com https://groups.google.com/d/msgid/ansible-project/a7ac54d2-e808-4c46-855e-5f3326b5b069%40googlegroups.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To
Re: [ansible-project] tags with roles
Hi Vlado, I think you are misunderstanding the feature. There is no sub -election with tags on role definition, when you: - {role: testrole, tags: ['']} What you are doing is tagging all tasks in testrole with '' on top of existing tags. So it would look like this once imported: - name: tag local_action: command echo tags: - - name: tag local_action: command echo tags: - - You are not saying 'run only those tagged with '', that is not possible when specifying a role to import. I suggest making 2 roles and only importing the one with the tasks you want to execute. -- Brian Coca -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJ5XC8mRn1qWaU2qf0f4NGdtt7WREqvE1aRVw6YL0xMM7gqH0w%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] debconf with variable is not really idempotent?
passwords cannot be read, so they always appear as changed, this is a limitation of debconf itself. all other field types should work as you expect -- Brian Coca -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJ5XC8%3Dj2AQN%2B1Uj%2B7y3ZwrgP6r1YUHhVmNx7Ctg0aFH0LB3mQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] Ansible provisioning through bastion SSH host
Hi folks, I'm encountering issues provisioning with Ansible via SSH from outside our datacenter (well, AWS Virtual Private Cloud). Our bastion hosts (jump boxes) are configured to accept SSH keys from staff members. Boxes behind the bastion hosts accept only the SSH keys created for the jumpbox user on the bastion hosts. This makes our administration easier in the event of key compromise staff turnover (only need to rotate out on the jumpboxes). The ProxyCommand examples I've seen for Ansible rely on agent forwarding and netcat. I want Ansible to SSH in to the bastion host, then run a second SSH command with the private key of the bastion host. Thus agent forwarding is useless here.I've tried replacing the netcat ProxyCommand with ssh -q -t awsjumpbox1 ssh -p %p %h and I get mysterious failures that even - doesn't provide much insight on. For instance: fatal: [172.31.17.144] = SSH Error: -bash: line 1: SSH-2.0-OpenSSH_6.6.1_hpn13v11: command not found It is sometimes useful to re-run the command using -, which prints SSH debug output to help diagnose the issue. Our ansible.cfg looks like: [defaults] host_key_checking = False [ssh_connection] ssh_args = -o ControlPersist=15m -F ssh.config -q scp_if_ssh = True control_path = ~/.ssh/mux-%%r@%%h:%%p Our ssh.config (simplified) looks like: Host jumpbox HostName (redacted) User (redacted) BatchMode yes PasswordAuthentication no Host * ServerAliveInterval60 TCPKeepAlive yes #ProxyCommand ssh -q -A -t jumpbox nc %h %p # have tried this one too ProxyCommand ssh -q -t jumpbox ssh -p %p %h ControlMaster auto ControlPath~/.ssh/ansible-%r@%h:%p ControlPersist 8h User (redacted) Our boxes are running the standard Amazon AMI (which I am led to believe are CentOS-based). We are open to rethinking the aforementioned strategy re: the keys if that's the only way. I'll be interested in anyone's thoughts on the matter. Thank you. Best regards, Andrew Merenbach Senior DevOps Engineer at Edlio Inc -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c5fcf811-fed6-493e-8f4f-1fe818d7824b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] Importing custom python library from ansible custom module
Hi Tim, Very good point. I will definitely change it accordingly. Thank you again. Regards, Olivier On Thursday, 16 July 2015 20:53:15 UTC+1, Timothy Appnel wrote: I'm glad you were able to work something out and I was helpful. A couple of quick added thoughts on this. I wouldn't recommend just dropping your library in to just /tmp to avoid a potential conflict with another job or process. Perhaps create a separate directory like the name of your project or playbook under tmp and store it there? I think create a specific directory helps avoid this. I also wouldn't recommend embedding a library path in your custom module for maintainability. It's working for you now, but the thought of having to have that path line up in two different places make me uneasy. I used the environment arg and appended the path to our libraries to PYTHONPATH. Everything is in one place: the playbook. A var to hold the path (you can use Ansible facts to really create a unique path that won't get tread on), the path create, the copy, the environment setting. Change it in one place and the change probates thru. Just some food for thought. tim/ On Thu, Jul 16, 2015 at 3:30 PM, Olivier Lauret olivier...@googlemail.com javascript: wrote: Hi Tim, Thank you very much for the update. It helps a lot, thank you very much. Indeed, I have chosen your second option as it is easier to maintain and avoid any conflict with other systems. The inifile.py is too big to be included in the custom module but I would not do this as I wouldn't be able to re-utilise it. Here is how I did it: In my playbook or role: tasks: - name: Upload python module copy: src=library/inifile.py dest=/tmp/inifile.py In my custom module: import sys sys.path.append('/tmp') from inifile import IniFile And to answer your question, what I am trying to achieve here is an extension to the ini_file module in Ansible. The current module doesn't answer my needs such as: - setting easily a continious list of options such as: - whitelist.0 = item1 - whitelist.1 = item2 - whitelist.2 = item3 - checking and replacing a list of options (such as [ower, owne]) by one option name (owner) - Dealing with options that doesn't have section (generally mean that this is default to all sections) - Dealing with empty name section ([]) and comments - this one I am less sure about but I know that the ConfigParser cannot handle this. Thank you again for your precious help. Regards, Olivier On Thursday, 16 July 2015 15:20:03 UTC+1, Timothy Appnel wrote: I didn't give up at all. Far from it! I started working for Ansible. Last I spoke to my former co-workers they are still using options 2 that I setup because they do not have the ability to install python libraries in the default library path. tim/ On Thu, Jul 16, 2015 at 10:14 AM, Martin mar...@marcher.name wrote: Hi, On Thu, Jul 16, 2015 at 4:05 PM Timothy Appnel ti...@ansible.com wrote: In a previous life I've had to do what you are attempting. So what do you do now? It sound like you went on and are using a completely different approach to achieve what the op wants to do (load custom code) I'm not asking about options but rather what you actually ended up with doing (give up and/or stopped using the tool are viable answers to me) /Martin -- -- http://www.xing.com/profile/Martin_Marcher http://www.linkedin.com/in/martinmarcher Mobil: +43 / 660 / 62 45 103 UID: ATU68801424 -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com. To post to this group, send email to ansible...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAK1mKEQxjUW0kB9Yb426THm8HZCMOy%3DbdbCzztjARScFrYsKzQ%40mail.gmail.com https://groups.google.com/d/msgid/ansible-project/CAK1mKEQxjUW0kB9Yb426THm8HZCMOy%3DbdbCzztjARScFrYsKzQ%40mail.gmail.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com javascript:. To post to this group, send email to ansible...@googlegroups.com javascript:. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a7ac54d2-e808-4c46-855e-5f3326b5b069%40googlegroups.com https://groups.google.com/d/msgid/ansible-project/a7ac54d2-e808-4c46-855e-5f3326b5b069%40googlegroups.com?utm_medium=emailutm_source=footer . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed
[ansible-project] Re: Error with playbook, which should create user accounts and set authorized public keys
You loop needs something to iterate over. Since ansible treats variables as strings, you need to make is a list. Try something like below: # cat ./split_users.yml --- - hosts: localhost connection: local gather_facts: no vars: userList: {{ users }} tasks: - name: split the user list debug: var=item with_items: userList.split(',') # ansible-playbook - split_users.yml -e 'users=moe,larry,curly' PLAY [localhost] ** TASK: [split the user list] *** ok: [localhost] = (item=moe) = { item: moe, var: { item: moe } } ok: [localhost] = (item=larry) = { item: larry, var: { item: larry } } ok: [localhost] = (item=curly) = { item: curly, var: { item: curly } } PLAY RECAP localhost : ok=1changed=0unreachable=0failed=0 On Wednesday, July 15, 2015 at 7:33:25 AM UTC-4, Dimitar Hristov wrote: Hi Guys, I get an error when I run a playbook, which aims to create new users and set authorized keys for them. The error: TASK: [create new users] ** fatal: [testvm1] = with_items expects a list or a set fatal: [testvm2] = with_items expects a list or a set Here's a part of the playbook (the first task fails): - name: create new users user: name={{ item.name }} group=wheel append=yes password={{user_password}} with_items: {{users}} - name: set pub keys authorized_key: user={{ item.0.name }} key='{{ lookup('file', item.1) }}' with_subelements: - users - authorized - name: set pass expiration command: /usr/bin/chage -d 0 {{ item.name }} with_items: {{users}} Here's the var file: --- wheelsregex: # *%wheel *ALL=\(ALL\) *ALL user_password: 12345678 users: - name: test authorized: - /etc/ansible/add_users/files/test.pub - name: test1 authorized: - /etc/ansible/add_users/files/test1.pub - name: test2 authorized: - /etc/ansible/add_users/files/test2.pub Any idea where's my mistake? I saw that it might be related to ansible version, so mine is 1.9.2. Regards, Dimitar -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2c398bff-a7eb-4c74-ac37-e8febcdb4827%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] Re: how to set up kerberos
Have you installed pykerberos? Also, use klist to check that the tgt ticket is for the user and domain you expect. be aware that the domain name seems to need to be in upper case so kinit u...@my.domain.com not kinit u...@my.domain.com Also, make sure you have patched windows server 2008 R2 - as per this advice on http://docs.ansible.com/intro_windows.html#windows-system-prep On Windows 7 and Server 2008 R2 machines, due to a bug in Windows Management Framework 3.0, it may be necessary to install this hotfix http://support.microsoft.com/kb/2842230 to avoid receiving out of memory and stack overflow exceptions. Newly-installed Server 2008 R2 systems which are not fully up to date with windows updates are known to have this issue. I recommend running your ansible-playbook -v to see the connection debugging information if it still fails. Also running eventvwr on the windows machine and checking if there are any logon events in Windows Logs - Security Hope this helps. If you discover anything that helps please reply so we can provide more information in the documentation. Jon On Thursday, July 16, 2015 at 4:54:58 PM UTC+1, Guillaume Querso wrote: hi all! I am currently using ansible 1.9.2 on a RHEL 6 server. what I would like is to connect to a windows 2008 R2 server via kerberos to be able to use domain accounts. - What i did: creating a ticket on the linux server for the concerned domain account. Synchronized the clocks. - What it is not working: i have a: 401 unauthorized access when i try to run a playbook. Do you know what i am missing? Thanks for your help on this! Guillaume Q -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a1001eab-2619-431e-8fef-d25f4d595476%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] tree/hierarchic structure for inventory?
We are working on the same problem. Right know we are using a custom piece of python code with nested dicts to represent our group and return them as json. -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2830c912-8f7e-46a1-a363-8d77e0d36866%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] delegate_to does not work for array of hosts passed in to role
I see the same behavior with the moustaches: - name: Test delegate to shell: echo {{ groups.consul_server[0] }} hostname -i register: __hostname delegate_to: {{ groups.consul_server[0] }} - debug: var=__hostname TASK: [Test delegate to] * 10.0.196.116 REMOTE_MODULE command echo 10.0.196.116 hostname -i #USE_SHELL 10.0.196.116 EXEC ['/bin/sh', '-c', 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1437108695.64-26819269533917 chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1437108695.64-26819269533917 echo $HOME/.ansible/tmp/ansible-tmp-1437108695.64-26819269533917'] 10.0.196.116 PUT /tmp/tmpDXWJFH TO /home/bkaplan/.ansible/tmp/ansible-tmp- 1437108695.64-26819269533917/command 10.0.196.116 EXEC ['/bin/sh', '-c', u'LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/bkaplan/.ansible/tmp/ansible-tmp-1437108695.64-26819269533917/command; rm -rf /home/bkaplan/.ansible/tmp/ansible-tmp-1437108695.64-26819269533917/ /dev/null 21'] changed: [localhost - 10.0.196.116] = {changed: true, cmd: echo \10.0.196.116\ hostname -i, delta: 0:00:00.004458, end: 2015-07-17 10:21:35.693136, rc: 0, start: 2015-07-17 10:21:35.688678, stderr: , stdout: 10.0.196.116\n127.0.1.1, warnings: []} TASK: [debug var=__hostname] ** ok: [localhost] = { var: { __hostname: { changed: true, cmd: echo \10.0.196.116\ hostname -i, delta: 0:00:00.004458, end: 2015-07-17 10:21:35.693136, invocation: { module_args: echo \10.0.196.116\ hostname -i, module_name: shell }, rc: 0, start: 2015-07-17 10:21:35.688678, stderr: , stdout: 10.0.196.116\n127.0.1.1, stdout_lines: [ 10.0.196.116, 127.0.1.1 ], warnings: [] } } } -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c2e3db4a-3f70-4804-99af-cda0032e9f47%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] delegate_to does not work for array of hosts passed in to role
Hmm, thought I tried that, but will check. Thanks Brian. I wonder whether it would be better for it to be error if delegate_to does not resolve rather than silently fall back to localhost... Depending on the task fallback to localhost could do some serious damage. -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/76675027-d744-47ce-b4e2-0d85c498c16d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] debconf with variable is not really idempotent?
Sounds like all password fields are not treated this way. Indeed, `debconf-get-selections` returns: mariadb-server-10.0 mysql-server/root_password_againpassword THE_PASSWORD -- Phyks Le 17/07/2015 01:22, Brian Coca a écrit : Not that i know of, debian's debconf deals with passwords this way, probably to prevent possible security issues. If someone figures out a way to compare all the passwords, I'm all open. In the mysql case we can read the /etc/my.cnf, but ... really we should not be doing that. -- Brian Coca -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJ5XC8mHpjTuozGPL8-d_aWC5dJc0Sv806tPFHDHH_zERxFkgw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/55A83D69.6040301%40phyks.me. For more options, visit https://groups.google.com/d/optout.
[ansible-project] Re: Ansible provisioning through bastion SSH host
Correction: the non-working command is ssh -q -t jumpbox1 ssh -p %p %h (not awsjumpbox1) On Thursday, July 16, 2015 at 11:33:00 AM UTC-7, and...@edlio.com wrote: Hi folks, I'm encountering issues provisioning with Ansible via SSH from outside our datacenter (well, AWS Virtual Private Cloud). Our bastion hosts (jump boxes) are configured to accept SSH keys from staff members. Boxes behind the bastion hosts accept only the SSH keys created for the jumpbox user on the bastion hosts. This makes our administration easier in the event of key compromise staff turnover (only need to rotate out on the jumpboxes). The ProxyCommand examples I've seen for Ansible rely on agent forwarding and netcat. I want Ansible to SSH in to the bastion host, then run a second SSH command with the private key of the bastion host. Thus agent forwarding is useless here.I've tried replacing the netcat ProxyCommand with ssh -q -t awsjumpbox1 ssh -p %p %h and I get mysterious failures that even - doesn't provide much insight on. For instance: fatal: [172.31.17.144] = SSH Error: -bash: line 1: SSH-2.0-OpenSSH_6.6.1_hpn13v11: command not found It is sometimes useful to re-run the command using -, which prints SSH debug output to help diagnose the issue. Our ansible.cfg looks like: [defaults] host_key_checking = False [ssh_connection] ssh_args = -o ControlPersist=15m -F ssh.config -q scp_if_ssh = True control_path = ~/.ssh/mux-%%r@%%h:%%p Our ssh.config (simplified) looks like: Host jumpbox HostName (redacted) User (redacted) BatchMode yes PasswordAuthentication no Host * ServerAliveInterval60 TCPKeepAlive yes #ProxyCommand ssh -q -A -t jumpbox nc %h %p # have tried this one too ProxyCommand ssh -q -t jumpbox ssh -p %p %h ControlMaster auto ControlPath~/.ssh/ansible-%r@%h:%p ControlPersist 8h User (redacted) Our boxes are running the standard Amazon AMI (which I am led to believe are CentOS-based). We are open to rethinking the aforementioned strategy re: the keys if that's the only way. I'll be interested in anyone's thoughts on the matter. Thank you. Best regards, Andrew Merenbach Senior DevOps Engineer at Edlio Inc -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/3dff42a8-a853-4cee-910b-eaa33bfd07e3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] Match multiple consecutive lines in lineinfile
Hi, I need to add a specific line after some lines in a config file. Due to the structure of the file, I have to match several consecutive lines to ensure the line will go to the right place (and I know about template and copy, but they won't fit my needs in this case). My problem is that is seems the regexp argument in Ansible does not match \n, contrary to the line argument. Is there a workaround? Thanks! -- Phyks -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/55A825BF.8060804%40phyks.me. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] debconf with variable is not really idempotent?
Not that i know of, debian's debconf deals with passwords this way, probably to prevent possible security issues. If someone figures out a way to compare all the passwords, I'm all open. In the mysql case we can read the /etc/my.cnf, but ... really we should not be doing that. -- Brian Coca -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJ5XC8mHpjTuozGPL8-d_aWC5dJc0Sv806tPFHDHH_zERxFkgw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] Adding private key to remote host
Hi all! In my company, we have playbooks to set up brand new servers in different roles, so that we can quickly configure new servers in case of expansion, emergency, etc. One of the steps involved in these setups is adding a private key to some of them. Now, this goes great 99% of the time, since it usually involves adding a .ssh/id_rsa key, and ssh will attempt to use it automatically, (based on its name I believe) However, the problem is when adding private keys with a non standard name. Say for example a server will hold 2 keys, one id_rsa and the other id_rsa_git. Normally, the second key will not work until ssh is made aware of it with ssh-add. However, I seem to be unable to run this command with ansible. Here's what I have tried: - command: ssh-add /home/{{ user }}/.ssh/id_rsa_git Does not work, outputs Could not open a connection to your authentication agent.. Fair enough. - shell: eval $(ssh-agent) ssh-add /home/{{ user }}/.ssh/id_rsa_git Seems to work, but doesn't. Here's the output I get if I run with the verbose flag: changed: [REDACTED] = {changed: true, cmd: eval \$(ssh-agent)\ ssh-add /home/johndoe/.ssh/id_rsa_git, delta: 0:00:00.006037, end: 2015-07-16 23:23:28.667177, rc: 0, start: 2015-07-16 23:23:28.661140, stderr: Identity added: /home/johndoe/.ssh/id_rsa_git (/home/johndoe/.ssh/id_rsa_git), stdout: Agent pid 28489} Seems about right, right? That would be the output you would get if you ran it directly on the server. However, when I go to the server and I do ssh-add -l, I get The agent has no identities. Huh? I thought maybe the user wasn't right. So I tried: shell: eval $(ssh-agent) ssh-add /home/{{ user }}/.ssh/id_rsa_git whoami remote_user: johndoe But this of course fails, since johndoe cannot ssh into servers (it's a system user). So, my question. Is there some sane way of doing the equivalent of ssh-add that I am not aware of? Thanks in advance! -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/e5072e2c-4550-4723-a58d-29c82373e886%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] Adding private key to remote host
ssh-add relies on environment variables that are not available to ansible, so when you run the ssh-agent + ssh-add you are spawning a 2nd agent, while when you login you seem to be getting the env vars for the 1st agent, which did not get the keys added. You'll have to do something like shell: . ssh_agent_env.sh ssh-add Or you can guess and set the environment vars yourself, the socket file is normally in /tmp and owned by your user (i,.e /tmp/ssh-7Mk71cc78Qwb/agent.4567) where the last number is the agent's pid before forking, normally you can add +1 to get actual agent pid and set SSH_AGENT_PID=4568 and SSH_AUTH_SOCK=/tmp/ssh-7Mk71cc78Qwb/agent.4567. You can also use pgrep to confirm. -- Brian Coca -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJ5XC8%3DiKV2mUj7o5kCSiDfQjTA732-P2H2JQFnZAEi%3Dw%3D6jEA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] delegate_to does not work for array of hosts passed in to role
you need moustaches: delegate_to: {{groups.consul_server[0]}} only conditionals (when: ) do not need templating, with_ has a haphazard support for it which we plan to deprecate. -- Brian Coca -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJ5XC8m27nEjF6Jja2w%2B1biwU3HQNJJy82Nf16Sve_AcG5P5xA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.