[ansible-project] Is there a sane way to build a list of dictionaries from two lists?

[Ben Cohen]

I want to use with_nested to assemble a list by iterating over two lists
and extracting particular keys from both -- ideally something like ...:

- name: "Build flat list of security group rules that should exist"
  set_fact:
rulesList:
  - proto: "{{ item.1.proto }}"
from_port: "{{ item.1.from_port }}"
to_port: "{{ item.1.to_port }}"
cidr_ip: "{{ item.0 }}"
  with_nested:
- "{{ server_ips }}"
- "{{ webservice_security_rules }}"

I need to _build_ the list in advance so that I can pass the entire list
into the ec2_group module -- as in:

  ec2_group:
  name: some_group
  description: All security rules for some_group
  vpc_id: some_vpc
  region: some_region
  aws_access_key: "{{encrypted_access_key}}"
  aws_secret_key: "{{encrypted_secret_key}}"
  rules: "{{rulesList}}"

NOTE: I cannot use with_nested as an argument to the ec2_group module, that
would result in multiple task invocations -- but for idempotent behavior, I
need to pass ALL the rules to ec2_group module in one invocation.

What's a good way to accomplish this?

On a side note: I can't understand why ansible seems to go so far out of
its way to make this harder than it needs to be ...  Ansible really seems
to be sorely lacking in features that would make it easy to build up
data-structures from other data-structures ...

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CABUBibvcXC4KjmTXHf_imJqQL%3DGQctTcZkhd%2B%2Big5ieJKZ5MFQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Is there a way to handle the error which occurs when unable to unlock an ansible-vault file?

[Ben Cohen]

Hi -- I've got a playbook with multiple plays.  One play depends on ability
to unlock an ansible-vault and declares this fact in the var_files section
of the play:

a_playbook.yml
```
- hosts: local
  vars_files:
- var_files/encrypted_secret_variables.yml
  tasks:
```

Prior to ansible2 it was possible to run this playbook without providing
the ansible-vault-password as long as --skip-tags matched all tasks within
the play shown.

Is there a way to achieve this with ansible2?  My use case is that I have
some playbooks which define some automation tasks, portions of these
playbooks only need to be run some of the time and are only able to be run
by people who can decrypt the required vault.  Other plays wishing this
same playbook described related automation/manage related systems and
should be runnable with an appropriate -s option.

I'll give some more specifics on why I want to do this, maybe someone can
offer suggestions for alternative approach?  a_playbook.yml describes
release automation for a software artifact -- everything up to the actual
deployment of the release to its final production resting place is runnable
by anyone -- steps which involve mutating production systems to actually
deploy the release artifacts are only runnable when you unlock the vault.
Describing the whole end to end process in a single playbook is nice for
readability/reproducibility/portability ...

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CABUBibtLKUp3fx3Gh01ddx4Fv%2BvLb0P14r%2Bq213ewGK23_s7EA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-project] ansible_env is undefined

[Ben Cohen]

There are a lot of good reasons you might want to only change the search
path rather than "set" it.  And there are also reasons you might want to
have this mutated value for an environment variable be used only in the
context of a playbook run.

It would be very convenient to be able to _augment_ the environment
variables for a play (rather than only set) ...  Could ansible support
something like this maybe?

environment:
  PATH:"$PATH:/some/special/searchdir/for/this/play/"


The alternatives I can see are:
(1) repeat yourself a whole lot with environment declarations per task
(2) mutate the environment variable via the underlying shell environment
initialization system.
(3) fully specify the values for the mutated variable ...

The first option requires lots of repetition.  The second option spreads
the mutation requirements to other aspects of the system rather keeping
this changed behavior localized within the playbook execution context --
frequently you might not want this as you might be deliberately only using
some alternate search path during a particular play.  I'd say there is also
a fair amount of not cross-platform 'make-busy-work' to actually go through
the process of modifying the shell environment variables initialization
configuration in a persistent way...  Mutating shell environment
initialization this way will very probably hide/obscure a pretty meaningful
mutation behind someone's back rather than clearly declaring it up front as
part of the play's execution contract ...

Option 3 seems like the only approach that can work.  However it's not as
clean to me and requires manually managing the correct default system
search PATH values which are not necessarily the same across
systems/os/user accounts (etc).  Definitely introduces undesirable
consequences that are not possible to avoid ...

On Wed, Mar 2, 2016 at 10:52 AM, Ben Cohen <cohen@gmail.com> wrote:

> Thanks -- what's a good pattern to the PATH environment variable during a
> play?
>
> On Mon, Feb 29, 2016 at 7:42 PM, Brian Coca <bc...@ansible.com> wrote:
>
>> As per https://github.com/ansible/ansible/blob/devel/CHANGELOG.md
>>
>> "Fix to make implicit fact gathering task correctly inherit settings from
>> play, this might cause an error if settings environment on play depending
>> on 'ansible_env' which was previously ignored"
>>
>> On Mon, Feb 29, 2016 at 7:44 PM, Ben Cohen <cohen@gmail.com> wrote:
>>
>>> After upgrading ansible versions:
>>>
>>> ncohen@breathe ~/s/f/fn-ansible (master)> ansible --version
>>>
>>> ansible 2.0.1.0
>>>
>>>   config file = /Users/ncohen/software/face/fn-ansible/ansible.cfg
>>>
>>>   configured module search path = Default w/o overrides
>>>
>>> I'm getting an error on first usage of ansible_env variable
>>>
>>> ```
>>> - hosts: local
>>>   environment:
>>> PATH: "{{ ansible_env.PATH }}:/usr/local/bin"
>>>   tasks:
>>>   ...
>>> ```
>>>
>>>
>>> Error looks like this:
>>>
>>> ```
>>> PLAY
>>> ***
>>>
>>>
>>> TASK [setup]
>>> ***
>>>
>>> fatal: [localhost]: FAILED! => {"failed": true, "msg": "'ansible_env' is
>>> undefined"}
>>>
>>>
>>> NO MORE HOSTS LEFT
>>> *
>>>
>>> to retry, use: --limit @
>>>
>>> PLAY RECAP
>>> *
>>>
>>> localhost  : ok=0changed=0unreachable=0
>>> failed=1
>>> ```
>>>
>>> Anyone have any idea what's going on?  This worked on 2.0.0.1 without
>>> issue ...
>>>
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Ansible Project" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ansible-project+unsubscr...@googlegroups.com.
>>> To post to this group, send email to ansible-project@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/ansible-project/CABUBibsio9cKH7r8-CR%2Bd8xCJSe0SBC1jFGP2F3L%2B%3DLXCba5dw%40mail.gmail.com
>>> <https://groups.google.com/d/msgid/ansible-project/CABUBibsio9cKH7r8-CR%2Bd8xCJSe0SBC1jFGP2F3L%2B%3DLXCba5dw%40mail.gmail.com?utm_med

Re: [ansible-project] ansible_env is undefined

[Ben Cohen]

Thanks -- what's a good pattern to the PATH environment variable during a
play?

On Mon, Feb 29, 2016 at 7:42 PM, Brian Coca <bc...@ansible.com> wrote:

> As per https://github.com/ansible/ansible/blob/devel/CHANGELOG.md
>
> "Fix to make implicit fact gathering task correctly inherit settings from
> play, this might cause an error if settings environment on play depending
> on 'ansible_env' which was previously ignored"
>
> On Mon, Feb 29, 2016 at 7:44 PM, Ben Cohen <cohen@gmail.com> wrote:
>
>> After upgrading ansible versions:
>>
>> ncohen@breathe ~/s/f/fn-ansible (master)> ansible --version
>>
>> ansible 2.0.1.0
>>
>>   config file = /Users/ncohen/software/face/fn-ansible/ansible.cfg
>>
>>   configured module search path = Default w/o overrides
>>
>> I'm getting an error on first usage of ansible_env variable
>>
>> ```
>> - hosts: local
>>   environment:
>> PATH: "{{ ansible_env.PATH }}:/usr/local/bin"
>>   tasks:
>>   ...
>> ```
>>
>>
>> Error looks like this:
>>
>> ```
>> PLAY
>> ***
>>
>>
>> TASK [setup]
>> ***
>>
>> fatal: [localhost]: FAILED! => {"failed": true, "msg": "'ansible_env' is
>> undefined"}
>>
>>
>> NO MORE HOSTS LEFT
>> *
>>
>> to retry, use: --limit @
>>
>> PLAY RECAP
>> *
>>
>> localhost  : ok=0changed=0unreachable=0
>> failed=1
>> ```
>>
>> Anyone have any idea what's going on?  This worked on 2.0.0.1 without
>> issue ...
>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ansible-project+unsubscr...@googlegroups.com.
>> To post to this group, send email to ansible-project@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/CABUBibsio9cKH7r8-CR%2Bd8xCJSe0SBC1jFGP2F3L%2B%3DLXCba5dw%40mail.gmail.com
>> <https://groups.google.com/d/msgid/ansible-project/CABUBibsio9cKH7r8-CR%2Bd8xCJSe0SBC1jFGP2F3L%2B%3DLXCba5dw%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> --
> --
> Brian Coca
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To post to this group, send email to ansible-project@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/CACVha7f61cUZwLjm-%3DBEPmJB-EPDJK5x%3DPBf4Y3%2B%2BNJTcuqUfQ%40mail.gmail.com
> <https://groups.google.com/d/msgid/ansible-project/CACVha7f61cUZwLjm-%3DBEPmJB-EPDJK5x%3DPBf4Y3%2B%2BNJTcuqUfQ%40mail.gmail.com?utm_medium=email_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CABUBibvJZhfwNnyri0KOnkdxpx1EfsSR%3DKqwuiPMNWq6ajH2Eg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] ansible_env is undefined

[Ben Cohen]

After upgrading ansible versions:

ncohen@breathe ~/s/f/fn-ansible (master)> ansible --version

ansible 2.0.1.0

  config file = /Users/ncohen/software/face/fn-ansible/ansible.cfg

  configured module search path = Default w/o overrides

I'm getting an error on first usage of ansible_env variable

```
- hosts: local
  environment:
PATH: "{{ ansible_env.PATH }}:/usr/local/bin"
  tasks:
  ...
```


Error looks like this:

```
PLAY
***


TASK [setup]
***

fatal: [localhost]: FAILED! => {"failed": true, "msg": "'ansible_env' is
undefined"}


NO MORE HOSTS LEFT
*

to retry, use: --limit @

PLAY RECAP
*

localhost  : ok=0changed=0unreachable=0failed=1

```

Anyone have any idea what's going on?  This worked on 2.0.0.1 without issue
...

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CABUBibsio9cKH7r8-CR%2Bd8xCJSe0SBC1jFGP2F3L%2B%3DLXCba5dw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-project] Re: directory layout for grouping playbooks - ansible.cfg ?

[Ben Cohen]

I also yearn for a solution to this problem -- I think that ansible
playbooks don't compose well -- and roles are (in my opinion) a not-so-good
abstraction for code re-use / process organization.  Frequently for the
'orchestration' portion of some automation I find myself needing playbooks
and the only way I can write playbook logic with access to resources that
is shared with other playbooks (vars, group_vars, plugins etc) is to keep
them all in what becomes a giant directory of playbooks ...  Its both
annoying and harder to organize/package for other users than it would be if
I could compose the playbook units in a better way ...  I'd love to be able
to:

(1) include a playbook from another playbook with dynamically specified
hosts: eg something like:
include: some-playbook.yml hosts={{some_host_or_group_determined_by_logic}}

(2) organize my playbooks so that I can suggest to other developers which
playbooks are entry points and which are only meant to be used as part of
other automation pipelines -- while keeping a unified
'file/template/plugin/var_file...' search space ...
include: ./some_dir/some-playbook.yml keep_resource_search_paths=true


On Mon, Jan 4, 2016 at 5:50 PM, Yoshi Spendiff 
wrote:

> Hi,
>
> Torsten, did you ever find an answer?
>
> It seems like it should be trivial to simply have a *plays *or *playbooks
> *directory, but I'm not finding a good way to do it...
>
> Breaking down into projects isn't what I'm looking for as I'd like to
> share roles
>
> Regards,
> Yoshi
>
>
> On Thursday, May 28, 2015 at 8:09:06 AM UTC-7, Ulrich Hochholdinger wrote:
>>
>> Hi,
>> I'm also in the situation to get "many" different projects under control
>> and use following directory structure:
>> - one folder per project with dependeing playbooks and roles
>> - global inventory with one folder per stage (since the project share
>> hosts I made only one inventory )
>> - group_vars and host_vars only in inventory
>> - global "site.yml' including playbooks out of projects
>> - "only for "global_roles" I had to add one Entry in roles_path in my
>> ansible.cfg
>>
>> I don't know if this is good practice. Improvements and tips are welcome
>> :D
>>
>> Details:
>>
>> site.yml example:
>> ---
>> - include project1/deployment.yml
>> - include project2/play.yml
>> ...
>>
>> Directory-Layout:
>>  ansible/
>> ├── site.yml
>> ├── project1/
>> │   ├── character1.yml
>> │   ├── character2.yml
>> │   ├── config_mgmt.yml
>> │   ├── deployment.yml
>> │   ├── library/
>> │   │   └── module1
>> │   ├── roles/
>> │   │   ├── role1/
>> │   │   └── role2/
>> │   └── site.yml
>> ├── project2/
>> │   ├── roles/
>> │   └──  ...
>> ├── project3/
>> ├── .../
>> ├── global_roles/
>> │   ├── role1/
>> │   └── role2/
>> ├── inventory/
>> │   ├── development/
>> │   │   ├── project1
>> │   │   ├── project2
>> │   │   ├── 
>> │   │   ├── group_vars/
>> │   │   └── host-vars/
>> │   ├── integration/
>> │   │   └── ...
>> │   ├── staging/
>> │   └── production/
>>
>>
>> Cheers
>>  Ulli
>> Am Donnerstag, 28. Mai 2015 12:55:24 UTC+2 schrieb Torsten Reinhard:
>>>
>>> in addition, also the group_vars cannot be resolved - they are expected
>>> relative to the playbook(s) - or the inventory hosts file.
>>>
>>> => how do i define common group_vars/all.yml - when i want to structure
>>> my playbooks in (sub) directories ?
>>>
>>> Regards, Torsten
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To post to this group, send email to ansible-project@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/5f73dfaf-a13d-4336-af8d-922b3fe8fa3c%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CABUBibuuO%3DTqmc8vAr-d5tnedNn9cKYcG_zMvWfGXSASnOsaww%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-project] Manage SSh-Keys

[Ben Cohen]

I think you should take a look at the authorized_keys module again -- you
can pass multiple keys to a single invocation when using the exclusive
option which will enforce that exactly and only the list of  keys you
supplied are in the specified authorized_keys file.

On Thursday, October 22, 2015, DrDth  wrote:

> @esco This wouldn't manage the different users on the remote systems
>
> @Javier It does not exactly what I want, cause the last key in the loop is
> the one who becomes exclusive so none of the others will be in the
> authorized_keys file. I need an option for keeping all keys and only those
> which i choose to be the ones.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com
> 
> .
> To post to this group, send email to ansible-project@googlegroups.com
> .
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/c59bb8d6-9bb1-4268-a3a2-5133672a28fa%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CABUBibv9TCQSRa04%2BqDjBL84LRUJ3Gz8%2Bn1FuS7cwzK8WnZztw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-project] Ansible 1.9.4 has been released

[Ben Cohen]

I'm not seeing any performance improvements notes -- but is anyone else
observing 1.9.4 to provide a _significant_ performance boost over 1.9.3?

On Friday, October 9, 2015, James Cammarata  wrote:

> Hi all, 1.9.4 has been released, and is now available.
>
> This release addresses several bugs, most notably those related to the yum
> module (introduced in 1.9.3):
>
> * Fixes a bug where yum state=latest would error if there were no updates
> to install.
> * Fixes a bug where yum state=latest did not work with wildcard package
> names.
> * Fixes a bug in lineinfile relating to escape sequences.
> * Fixes a bug where vars_prompt was not keeping passwords private by
> default.
> * Fix ansible-galaxy and the hipchat callback plugin to check that the
> host it
>   is contacting matches its TLS Certificate.
>
> As always, this update is available via PyPi and releases.ansible.com now,
> and packages for distros will be available as soon as possible.
>
> Thanks, and enjoy!
>
> James Cammarata
> Director, Ansible Core Engineering
> github: jimi-c
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com
> 
> .
> To post to this group, send email to ansible-project@googlegroups.com
> .
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/CAMFyvFiLjTw4hpK-fAg_yRTogDXWPZs04GctrF4TP0Z6OLpReA%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CABUBibt7PE-51QUkP1QmZ6-jJaW52yissVSwDY2K93YmX66wCQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] ansible2 -- filter_plugins

[Ben Cohen]

I wanted to start looking at ansible 2 now that its in beta -- most things
are working for me out of the box -- but I have a very simple custom filter
that I need to use which isn't being discovered:

sts-infrastructure (master)> cat filter_plugins/wrap.py

def wrap(list):

return [ '"' + x + '"' for x in list]


class FilterModule(object):

def filters(self):

return {

'wrap': wrap

}

I know a ansible2 migration guide is in the works -- I'm assuming this will
be a really quick fix though ...  Does anybody know how to define a custom
filter in ansible2?  Or have a link to a WIP of the migration guide?

Thanks,
Ben

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CABUBibs%2BYzO97JWCuAqH0gR66-Hkv5eq7a7DTkWmkUafHKdcpQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: windows winrm environment does not allow some kinds of execution

[Ben Cohen]

It's here if you want to take a look ...  I'll try and make any changes
needed ...

https://github.com/ansible/ansible-modules-extras/pull/1007

On Tuesday, September 22, 2015, J Hawkesworth <
j.r.hawkeswo...@googlemail.com> wrote:

> Thank you. Looking forward to seeing your PR.
>
> Jon
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com .
> To post to this group, send email to ansible-project@googlegroups.com
> .
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/1af89200-fce7-4d52-b51d-ba56584c7e3a%40googlegroups.com
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CABUBibtsPYh9yh14af11UzriGTTATUfO3seg0n7G_sO7PT0w%3DA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: windows winrm environment does not allow some kinds of execution

[Ben Cohen]

It turns out that after powershell 3 microsoft added a nice powershell api
for basically exactly the process I described (Register-ScheduledJob,
Receive-Job).  I re-implemented this ansible module using these powershell
api's and its relatively clean seeming -- I'm gonna go ahead and submit a
pull request to ansible-module-extras and see if anyone finds a use ...

On Thu, Sep 17, 2015 at 1:37 PM, Ben Cohen <cohen@gmail.com> wrote:

> I was trying to script the usage of the windows DISM utilities via ansible
> -- and ran into an issue with being unable to execute dism from within the
> winrm context.  Apparently some varieties of rpc (which DISM uses
> internally) are prevented from running from within the winrm execution
> context ...  What this amounts to with regard to dism is that you can
> execute the dism commands and they appear to work - but due to the obscure
> way that some component within the process fail, mounting an image always
> produces a corrupt/unusable mount point (Get-WinImages -Mounted always
> displays that the mounted image "requires remount")
>
> I actually couldn't find any good details on the topic -- other than this
> blog post from someone who discusses the fun unnecessarily annoying details
> associated with automating windows via winrm within the context of puppet:
>
>
> http://www.hurryupandwait.io/blog/safely-running-windows-automation-operations-that-typically-fail-over-winrm-or-powershell-remoting
>
> And the workaround for the issue he came up with was to create a scheduled
> task from within winrm,  then manually trigger the running of the newly
> created scheduled task stashing away the stdout/stderr of the scheduled
> task execution, then poll for the ending of the process created by the
> triggered scheduled task, then lift the stashed output data back into winrm
> context for continued use in the winrm context.
>
> I adapted his script (
> https://github.com/mwrock/boxstarter/blob/master/BoxStarter.Common/Invoke-FromTask.ps1)
> into an ansible module -- which works something like this:
>
> (from within winrm context)
> (1) generate a wrapper powershell script to invoke the module's command
> argument and redirect stdout/stderr to magic file paths (module's command
> argument is assumed to invoke commands which can't execute properly from
> within winrm environment)
> (2) create a scheduled task as a particular user configured to invoke the
> powershell wrapper script created in step 1
> (3) manually trigger the running of the scheduled task
> -> causes a scheduled task to launch a process which doesn't have the
> winrm execution restrictions
> (4) poll for the end of the process launched by the scheduled task manager
> (5) when the scheduled task process ends, ingest the stdout/stderr results
> that were stashed away
> (6) cleanup the scheduled task and generated files
>
> Usage looks like this:
> win_invoke_from_task:
>   command: 'dism.exe /Mount-Wim
> /WimFile:{{sts_windows_image_build_dir}}\{{image}}.{{variant}}.wim
> /MountDir:{{sts_windows_image_mount_dir}} /index:1'
>   user: "{{ ansible_ssh_user }}"
>   credential: "{{ credential }}"
> register: image_contents
> tags: test
>
> I wondered if anyone encountered this and solved the problem in a
> different way or would be interested in this module ...?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CABUBibuRb-UkOwykH1osw56815c0PdyBSvRfXRTfF_AoGiiCAA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] windows winrm environment does not allow some kinds of execution

[Ben Cohen]

I was trying to script the usage of the windows DISM utilities via ansible
-- and ran into an issue with being unable to execute dism from within the
winrm context.  Apparently some varieties of rpc (which DISM uses
internally) are prevented from running from within the winrm execution
context ...  What this amounts to with regard to dism is that you can
execute the dism commands and they appear to work - but due to the obscure
way that some component within the process fail, mounting an image always
produces a corrupt/unusable mount point (Get-WinImages -Mounted always
displays that the mounted image "requires remount")

I actually couldn't find any good details on the topic -- other than this
blog post from someone who discusses the fun unnecessarily annoying details
associated with automating windows via winrm within the context of puppet:

http://www.hurryupandwait.io/blog/safely-running-windows-automation-operations-that-typically-fail-over-winrm-or-powershell-remoting

And the workaround for the issue he came up with was to create a scheduled
task from within winrm,  then manually trigger the running of the newly
created scheduled task stashing away the stdout/stderr of the scheduled
task execution, then poll for the ending of the process created by the
triggered scheduled task, then lift the stashed output data back into winrm
context for continued use in the winrm context.

I adapted his script (
https://github.com/mwrock/boxstarter/blob/master/BoxStarter.Common/Invoke-FromTask.ps1)
into an ansible module -- which works something like this:

(from within winrm context)
(1) generate a wrapper powershell script to invoke the module's command
argument and redirect stdout/stderr to magic file paths (module's command
argument is assumed to invoke commands which can't execute properly from
within winrm environment)
(2) create a scheduled task as a particular user configured to invoke the
powershell wrapper script created in step 1
(3) manually trigger the running of the scheduled task
-> causes a scheduled task to launch a process which doesn't have the winrm
execution restrictions
(4) poll for the end of the process launched by the scheduled task manager
(5) when the scheduled task process ends, ingest the stdout/stderr results
that were stashed away
(6) cleanup the scheduled task and generated files

Usage looks like this:
win_invoke_from_task:
  command: 'dism.exe /Mount-Wim
/WimFile:{{sts_windows_image_build_dir}}\{{image}}.{{variant}}.wim
/MountDir:{{sts_windows_image_mount_dir}} /index:1'
  user: "{{ ansible_ssh_user }}"
  credential: "{{ credential }}"
register: image_contents
tags: test

I wondered if anyone encountered this and solved the problem in a different
way or would be interested in this module ...?

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CABUBibvKHY8CRrvDLEQBBKck-ASTwNQSN9PgiWi0-rYredS9rA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] questions regarding ansible raw module on windows

[Ben Cohen]

I'm seeing some references online that make it sound like the ansible "raw"
module when run versus windows hosts (winrm) should allow execution of
powershell commands -- I'm able to execute raw: commands with the older
windows shell (batch file syntax) -- but don't seem to be able to use any
powershell utilities ...


 ESTABLISH WINRM CONNECTION FOR USER: ansible
on PORT 5986 TO sts-m93p-automaton.ucsd.edu

 WINRM CONNECT: transport=plaintext endpoint=
https://sts-m93p-automaton.ucsd.edu:5986/wsman

 EXEC Get-Item c:

 WINRM EXEC 'Get-Item' ['c:']

 WINRM RESULT 

failed: [sts-m93p-automaton.ucsd.edu] => {"rc": 1}

stderr: 'Get-Item' is not recognized as an internal or external command,

operable program or batch file.


Is there something that needs to be done for the raw module to allow
execution of powershell snippets?

If anyone has any advice I'd be appreciative!

Thanks,

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CABUBibu7pF_vimT1%3DVXQmBSBB8eN1sMuxKnsNNv4%3D%3Do3%2Bo4jXA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Composability: is there a way to implement a module as a series of ansible tasks?

[Ben Cohen]

I really like the ansible module interface: pure functions are powerful,
super simple and really great.  The with_items syntax adds a lot of power
on top with very low cognitive overhead that helps keep you laser focused
on describing your objectives in ways that tend to be very declarative.

Sometimes though, I've got a task that I need to do multiple times but
can't express as a single module call -- or I might find myself needing to
do something somewhat tricky in multiple different places and I'd like to
avoid repeating the complexity.  I use the the roles/ system heavily to try
and reduce repetition, however some things just aren't easily refactored
into roles or its very awkward to do so and increases the cognitive
overhead of understanding the overall objective.

Does a mechanism exist which makes it possible to basically package up a
sequence of tasks as a module?

It would be (really really) cool if I could package up a sequence of tasks
as a custom module.  I imagine a syntax like this:

inside library/copyAndDecrypt.yml

---

- defineModule: copyAndDecrypt
  arguments:
src:
  type: string
  required: yes
dest:
  type: string
  required: yes
owner:
  type: string
  default: None
mode:
  type: string
  default: None
secret:
  type: string
  required: yes
  local_vars:
some_local_var: just convenient suguar for re-use within the module
  tasks:

- name: Decrypt contents of src and capture into a variable
  local_action: shell openssl aes-256-cbc -salt -a -d -in {{ src }} -k
{{ secret }}
  register: decryptedContents

- name: Ensure decrypted key is copied to expected location
  copy:
  args:
content: {{ decryptedContents }}
dest: /etc/nginx/ssl/sts_ssl_private.key
owner: {{ owner }}
mode: {{ mode }}


Usage would then be like using a module:

---

- name: Ensure decrypted ssl private key is deployed where webserver will
look for it
  copyAndDecrypt: src=path_on_control_node/to/encrypted_file
dest=/path/where/decrypted/file/should/live owner=root mode=0600

- name: Ensure all these secret files are decrypted and in place
  copyAndDecrypt: src={{item.src}} dest={{item.dest}}
owner=accountingDepartment mode=0600
  with_items:
- src: accounting/owed_money
  dest: {{ secret_base }}/
- src: accounting/stolen_money
  dest: {{ secret_base }}/
- src: accounting/lost_money
  dest: {{ secret_base }}/

Not entirely sure what the module would return, perhaps the value of the
first task with an error or the value of the last task with successful exit
... (ansible 2 handlers could be relevant though i'm not all that familiar
with what ansible2 is bringing to the table)...  I understand that ansible2
has block scope and other features coming -- though I don't know the
details, but I imagine it will make it significantly simpler to implement a
scope mechanism?  The idea being that the module has its own scope with
only passed in parameters and local_vars being accessible within and with
any registered variables referenced on tasks being accessible from only the
module scope ...

it seems like it would be relatively straightforward to implement something
like this in ansible2?  Would people be interested?

(or if I'm just missing that this feature exists already in some form,
please let me know as I'd love to use it!)

-- 
You received this message because you are subscribed to the Google Groups 
Ansible Project group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CABUBibvCY86Z-0ANCYe5Z1wXaG8BwqMhDVxsd%2BFB7pDDN_OFKQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-project] Gitter chat/channel for Ansible?

[Ben Cohen]

As a lurker whose email clients have mailed mailing lists unbearable -- id
love to see this!

On Monday, August 10, 2015, Hristo Stoyanov hr.stoya...@gmail.com wrote:

 Hi,
 I tried the IRC chat for Ansible and it is painful (especially from mobile
 device). Since Ansible is hosted on Github anyway, wouldn't it be better to
 leverage the free and integrated  Gitter chat? I have seen other projects
 on Github using it with great success ...

 Thanks for the great tool, btw!

 --
 You received this message because you are subscribed to the Google Groups
 Ansible Project group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ansible-project+unsubscr...@googlegroups.com
 javascript:_e(%7B%7D,'cvml','ansible-project%2bunsubscr...@googlegroups.com');
 .
 To post to this group, send email to ansible-project@googlegroups.com
 javascript:_e(%7B%7D,'cvml','ansible-project@googlegroups.com');.
 To view this discussion on the web visit
 https://groups.google.com/d/msgid/ansible-project/769319fd-6094-49db-bd4d-ffc413024165%40googlegroups.com
 https://groups.google.com/d/msgid/ansible-project/769319fd-6094-49db-bd4d-ffc413024165%40googlegroups.com?utm_medium=emailutm_source=footer
 .
 For more options, visit https://groups.google.com/d/optout.


-- 
You received this message because you are subscribed to the Google Groups 
Ansible Project group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CABUBibv4iEF4SCz563HJNc7i61a_hNsiubZAyEmBGEt7VyFOsA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-project] fetch module fails checksum when remote user's shell is set to /bin/tcsh

[Ben Cohen]

Ah ok, yeah I didn't see the above answer in the response on the issue ...
I'm surprised this isn't a faq.

Thanks,
Ben

On Fri, May 8, 2015 at 5:27 PM, Brian Coca bc...@ansible.com wrote:

 hi, im the bot that closed the issue, in the response you might have
 missed the answer:

 set ansible_shell_type=csh group/host var for this host and
 checksumming should work again. Different shell families need
 different quoting.

 On Fri, May 8, 2015 at 8:25 PM, breatheoften cohen@gmail.com wrote:
  I created an issue reporting what appears to me to be a bug in the fetch
  module -- the fetch module succeeds in grabbing the remote file and then
  always fails its checksum test if the remote user's login shell is set to
  /bin/tcsh -- but works when the remote user's login shell is set to
  /bin/bash.
 
  I filed an issue along with simplified steps to reproduce:
 
 
 https://github.com/ansible/ansible-modules-core/issues/1297#event-300717455
 
  The issue was closed (by a bot?) -- with a note pointing me at this list.
 
  Is this a user issue or a bug?  I'm not seeing any documentation that
  implies that the remote_user's login shell needs to be bash ...  Is that
 a
  requirement of ansible?  This requirement is not described in the faq or
 any
  documentation that I find ...  I can't think of anything about my bug
 report
  that implies this is a user support issue.
 
  The fetch module behavior is broken when the remote user's login shell is
  set to /bin/tcsh.  That seems an awful lot like a bug to me ...
 
  I've been using ansible for awhile now -- usually the remote_user's login
  shell has always been bash -- but in some cases, some of these hosts have
  had their login shells changed and I can't necessarily immediately change
  them back to bash.
 
  Thanks,
  Ben
 
  --
  You received this message because you are subscribed to the Google Groups
  Ansible Project group.
  To unsubscribe from this group and stop receiving emails from it, send an
  email to ansible-project+unsubscr...@googlegroups.com.
  To post to this group, send email to ansible-project@googlegroups.com.
  To view this discussion on the web visit
 
 https://groups.google.com/d/msgid/ansible-project/09e25c17-b319-4e20-bd2a-597e4465b939%40googlegroups.com
 .
  For more options, visit https://groups.google.com/d/optout.



 --
 Brian Coca

 --
 You received this message because you are subscribed to the Google Groups
 Ansible Project group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ansible-project+unsubscr...@googlegroups.com.
 To post to this group, send email to ansible-project@googlegroups.com.
 To view this discussion on the web visit
 https://groups.google.com/d/msgid/ansible-project/CAJ5XC8kvdRMdiRtswYkrQifsScVcrZwxgk8ZTxSra04bt%3DtUyQ%40mail.gmail.com
 .
 For more options, visit https://groups.google.com/d/optout.


-- 
You received this message because you are subscribed to the Google Groups 
Ansible Project group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CABUBibv12q8YSKAr1%2B-mnSmT%3D8hhmj2rc%3DGYKpVWjuoHVSS%2Bgw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.