2017-08-15 22:38:59 +02:00
# Copyright (c) 2017 Ansible Project
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
---
2018-01-23 00:35:33 +01:00
ALLOW_WORLD_READABLE_TMPFILES :
2019-11-08 22:13:13 +01:00
name : Allow world-readable temporary files
2018-01-23 00:35:33 +01:00
default : False
description :
2019-11-08 22:13:13 +01:00
- This makes the temporary files created on the machine world-readable and will issue a warning instead of failing the task.
2018-01-23 00:35:33 +01:00
- It is useful when becoming an unprivileged user.
env : [ ]
ini :
- {key: allow_world_readable_tmpfiles, section : defaults}
type : boolean
yaml : {key : defaults.allow_world_readable_tmpfiles}
version_added : "2.1"
2018-10-01 20:29:59 +02:00
ANSIBLE_CONNECTION_PATH :
name : Path of ansible-connection script
default : null
description :
- Specify where to look for the ansible-connection script. This location will be checked before searching $PATH.
- If null, ansible will start with the same directory as the ansible script.
type : path
env : [ {name : ANSIBLE_CONNECTION_PATH}]
ini :
- {key: ansible_connection_path, section : persistent_connection}
yaml : {key : persistent_connection.ansible_connection_path}
version_added : "2.8"
2017-06-14 17:08:34 +02:00
ANSIBLE_COW_SELECTION :
2017-08-20 17:20:30 +02:00
name : Cowsay filter selection
2017-06-14 17:08:34 +02:00
default : default
2017-08-15 22:38:59 +02:00
description : This allows you to chose a specific cowsay stencil for the banners or use 'random' to cycle through them.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_COW_SELECTION}]
ini :
- {key: cow_selection, section : defaults}
ANSIBLE_COW_WHITELIST :
2017-08-20 17:20:30 +02:00
name : Cowsay filter whitelist
2017-06-14 17:08:34 +02:00
default : [ 'bud-frogs' , 'bunny' , 'cheese' , 'daemon' , 'default' , 'dragon' , 'elephant-in-snake' , 'elephant' , 'eyes' , 'hellokitty' , 'kitty' , 'luke-koala' , 'meow' , 'milk' , 'moofasa' , 'moose' , 'ren' , 'sheep' , 'small' , 'stegosaurus' , 'stimpy' , 'supermilker' , 'three-eyes' , 'turkey' , 'turtle' , 'tux' , 'udder' , 'vader-koala' , 'vader' , 'www' ]
2017-08-15 22:38:59 +02:00
description : White list of cowsay templates that are 'safe' to use, set to empty list if you want to enable all installed templates.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_COW_WHITELIST}]
ini :
- {key: cow_whitelist, section : defaults}
2017-08-15 22:38:59 +02:00
type : list
2017-08-20 17:20:30 +02:00
yaml : {key : display.cowsay_whitelist}
2017-06-14 17:08:34 +02:00
ANSIBLE_FORCE_COLOR :
2017-08-20 17:20:30 +02:00
name : Force color output
2017-07-07 02:21:53 +02:00
default : False
2017-08-20 17:20:30 +02:00
description : This options forces color mode even when running without a TTY or the "nocolor" setting is True.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_FORCE_COLOR}]
ini :
- {key: force_color, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
2017-08-20 17:20:30 +02:00
yaml : {key : display.force_color}
2017-06-14 17:08:34 +02:00
ANSIBLE_NOCOLOR :
2017-08-20 17:20:30 +02:00
name : Suppress color output
2017-07-07 02:21:53 +02:00
default : False
2017-08-15 22:38:59 +02:00
description : This setting allows suppressing colorizing output, which is used to give a better indication of failure and status information.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_NOCOLOR}]
ini :
- {key: nocolor, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
2017-08-20 17:20:30 +02:00
yaml : {key : display.nocolor}
2017-06-14 17:08:34 +02:00
ANSIBLE_NOCOWS :
2017-08-20 17:20:30 +02:00
name : Suppress cowsay output
2017-07-07 02:21:53 +02:00
default : False
2017-08-15 22:38:59 +02:00
description : If you have cowsay installed but want to avoid the 'cows' (why????), use this.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_NOCOWS}]
ini :
- {key: nocows, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
2017-08-20 17:20:30 +02:00
yaml : {key : display.i_am_no_fun}
2018-01-10 21:54:47 +01:00
ANSIBLE_COW_PATH :
2017-12-03 20:33:18 +01:00
name : Set path to cowsay command
default : null
description : Specify a custom cowsay path or swap in your cowsay implementation of choice
2018-01-10 21:54:47 +01:00
env : [ {name : ANSIBLE_COW_PATH}]
2017-12-03 20:33:18 +01:00
ini :
- {key: cowpath, section : defaults}
type : string
yaml : {key : display.cowpath}
2017-08-15 22:38:59 +02:00
ANSIBLE_PIPELINING :
2017-08-20 17:20:30 +02:00
name : Connection pipelining
2017-08-15 22:38:59 +02:00
default : False
description :
- Pipelining, if supported by the connection plugin, reduces the number of network operations required to execute a module on the remote server,
by executing many Ansible modules without actual file transfer.
- This can result in a very significant performance improvement when enabled.
2017-09-13 17:09:02 +02:00
- "However this conflicts with privilege escalation (become). For example, when using 'sudo:' operations you must first
disable 'requiretty' in /etc/sudoers on all managed hosts, which is why it is disabled by default."
2019-02-12 18:49:00 +01:00
- This options is disabled if ``ANSIBLE_KEEP_REMOTE_FILES`` is enabled.
2017-10-03 15:54:32 +02:00
env :
- name : ANSIBLE_PIPELINING
2017-10-03 22:51:56 +02:00
- name : ANSIBLE_SSH_PIPELINING
2017-08-15 22:38:59 +02:00
ini :
2017-10-03 15:54:32 +02:00
- section : connection
key : pipelining
- section : ssh_connection
key : pipelining
2017-08-15 22:38:59 +02:00
type : boolean
yaml : {key : plugins.connection.pipelining}
2017-06-14 17:08:34 +02:00
ANSIBLE_SSH_ARGS :
2017-08-20 17:20:30 +02:00
# TODO: move to ssh plugin
2017-06-14 17:08:34 +02:00
default : -C -o ControlMaster=auto -o ControlPersist=60s
2017-08-15 22:38:59 +02:00
description :
2017-07-07 02:21:53 +02:00
- If set, this will override the Ansible default ssh arguments.
- In particular, users may wish to raise the ControlPersist time to encourage performance. A value of 30 minutes may be appropriate.
- Be aware that if `-o ControlPath` is set in ssh_args, the control path setting is not used.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_SSH_ARGS}]
ini :
- {key: ssh_args, section : ssh_connection}
yaml : {key : ssh_connection.ssh_args}
ANSIBLE_SSH_CONTROL_PATH :
2017-08-15 22:38:59 +02:00
# TODO: move to ssh plugin
2017-07-07 02:21:53 +02:00
default : null
2017-08-15 22:38:59 +02:00
description :
2017-07-07 02:21:53 +02:00
- This is the location to save ssh's ControlPath sockets, it uses ssh's variable substitution.
- Since 2.3, if null, ansible will generate a unique hash. Use `%(directory)s` to indicate where to use the control dir path setting.
- Before 2.3 it defaulted to `control_path=%(directory)s/ansible-ssh-%%h-%%p-%%r`.
- Be aware that this setting is ignored if `-o ControlPath` is set in ssh args.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_SSH_CONTROL_PATH}]
ini :
- {key: control_path, section : ssh_connection}
yaml : {key : ssh_connection.control_path}
ANSIBLE_SSH_CONTROL_PATH_DIR :
2017-08-15 22:38:59 +02:00
# TODO: move to ssh plugin
2017-06-14 17:08:34 +02:00
default : ~/.ansible/cp
2017-08-15 22:38:59 +02:00
description :
2017-07-07 02:21:53 +02:00
- This sets the directory to use for ssh control path if the control path setting is null.
- Also, provides the `%(directory)s` variable for the control path setting.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_SSH_CONTROL_PATH_DIR}]
ini :
- {key: control_path_dir, section : ssh_connection}
yaml : {key : ssh_connection.control_path_dir}
ANSIBLE_SSH_EXECUTABLE :
2017-08-20 17:20:30 +02:00
# TODO: move to ssh plugin
2017-06-14 17:08:34 +02:00
default : ssh
2017-08-15 22:38:59 +02:00
description :
2017-07-07 02:21:53 +02:00
- This defines the location of the ssh binary. It defaults to `ssh` which will use the first ssh binary available in $PATH.
- This option is usually not required, it might be useful when access to system ssh is restricted,
or when using ssh wrappers to connect to remote hosts.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_SSH_EXECUTABLE}]
ini :
- {key: ssh_executable, section : ssh_connection}
yaml : {key : ssh_connection.ssh_executable}
2017-07-07 02:21:53 +02:00
version_added : "2.2"
2017-06-14 17:08:34 +02:00
ANSIBLE_SSH_RETRIES :
2017-08-20 17:20:30 +02:00
# TODO: move to ssh plugin
2017-06-14 17:08:34 +02:00
default : 0
2017-08-20 17:20:30 +02:00
description : Number of attempts to establish a connection before we give up and report the host as 'UNREACHABLE'
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_SSH_RETRIES}]
ini :
- {key: retries, section : ssh_connection}
2017-08-15 22:38:59 +02:00
type : integer
2017-06-14 17:08:34 +02:00
yaml : {key : ssh_connection.retries}
2017-05-11 00:08:42 +02:00
ANY_ERRORS_FATAL :
2017-08-20 17:20:30 +02:00
name : Make Task failures fatal
2017-07-12 01:43:48 +02:00
default : False
2017-08-20 17:20:30 +02:00
description : Sets the default value for the any_errors_fatal keyword, if True, Task failures will be considered fatal errors.
2017-07-12 01:43:48 +02:00
env :
- name : ANSIBLE_ANY_ERRORS_FATAL
ini :
- section : defaults
key : any_errors_fatal
2017-08-15 22:38:59 +02:00
type : boolean
2017-08-20 17:20:30 +02:00
yaml : {key : errors.any_task_errors_fatal}
2017-07-12 01:43:48 +02:00
version_added : "2.4"
2017-06-14 17:08:34 +02:00
BECOME_ALLOW_SAME_USER :
2018-06-15 05:53:41 +02:00
name : Allow becoming the same user
2017-06-14 17:08:34 +02:00
default : False
2017-08-20 17:20:30 +02:00
description : This setting controls if become is skipped when remote user and become user are the same. I.E root sudo to root.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_BECOME_ALLOW_SAME_USER}]
ini :
- {key: become_allow_same_user, section : privilege_escalation}
2017-08-15 22:38:59 +02:00
type : boolean
2017-06-14 17:08:34 +02:00
yaml : {key : privilege_escalation.become_allow_same_user}
2018-01-12 17:28:46 +01:00
AGNOSTIC_BECOME_PROMPT :
name : Display an agnostic become prompt
2018-09-14 18:16:13 +02:00
default : True
2018-01-12 17:28:46 +01:00
type : boolean
description : Display an agnostic become prompt instead of displaying a prompt containing the command line supplied become method
env : [ {name : ANSIBLE_AGNOSTIC_BECOME_PROMPT}]
ini :
- {key: agnostic_become_prompt, section : privilege_escalation}
yaml : {key : privilege_escalation.agnostic_become_prompt}
version_added : "2.5"
2017-06-14 17:08:34 +02:00
CACHE_PLUGIN :
2017-08-20 17:20:30 +02:00
name : Persistent Cache plugin
2017-06-14 17:08:34 +02:00
default : memory
2017-08-20 17:20:30 +02:00
description : Chooses which cache plugin to use, the default 'memory' is ephimeral.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_CACHE_PLUGIN}]
ini :
- {key: fact_caching, section : defaults}
2017-08-20 17:20:30 +02:00
yaml : {key : facts.cache.plugin}
2017-06-14 17:08:34 +02:00
CACHE_PLUGIN_CONNECTION :
2017-08-20 17:20:30 +02:00
name : Cache Plugin URI
default : ~
2017-08-15 22:38:59 +02:00
description : Defines connection or path information for the cache plugin
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_CACHE_PLUGIN_CONNECTION}]
ini :
- {key: fact_caching_connection, section : defaults}
2017-08-20 17:20:30 +02:00
yaml : {key : facts.cache.uri}
2017-06-14 17:08:34 +02:00
CACHE_PLUGIN_PREFIX :
2017-08-20 17:20:30 +02:00
name : Cache Plugin table prefix
2017-06-14 17:08:34 +02:00
default : ansible_facts
2017-08-15 22:38:59 +02:00
description : Prefix to use for cache plugin files/tables
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_CACHE_PLUGIN_PREFIX}]
ini :
- {key: fact_caching_prefix, section : defaults}
2017-08-20 17:20:30 +02:00
yaml : {key : facts.cache.prefix}
2017-06-14 17:08:34 +02:00
CACHE_PLUGIN_TIMEOUT :
2017-08-20 17:20:30 +02:00
name : Cache Plugin expiration timeout
2017-06-14 17:08:34 +02:00
default : 86400
2017-08-15 22:38:59 +02:00
description : Expiration timeout for the cache plugin data
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_CACHE_PLUGIN_TIMEOUT}]
ini :
- {key: fact_caching_timeout, section : defaults}
2017-08-15 22:38:59 +02:00
type : integer
2017-08-20 17:20:30 +02:00
yaml : {key : facts.cache.timeout}
2019-03-28 18:41:39 +01:00
COLLECTIONS_PATHS :
name : ordered list of root paths for loading installed Ansible collections content
2019-07-31 17:57:44 +02:00
description : Colon separated paths in which Ansible will search for collections content.
2019-03-28 18:41:39 +01:00
default : ~/.ansible/collections:/usr/share/ansible/collections
type : pathspec
env :
- {name : ANSIBLE_COLLECTIONS_PATHS}
ini :
- {key: collections_paths, section : defaults}
2017-06-14 17:08:34 +02:00
COLOR_CHANGED :
2017-08-20 17:20:30 +02:00
name : Color for 'changed' task status
2017-06-14 17:08:34 +02:00
default : yellow
2017-08-20 17:20:30 +02:00
description : Defines the color to use on 'Changed' task status
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_COLOR_CHANGED}]
ini :
- {key: changed, section : colors}
2017-07-12 01:43:48 +02:00
yaml : {key : display.colors.changed}
2018-07-18 16:31:43 +02:00
COLOR_CONSOLE_PROMPT :
name : "Color for ansible-console's prompt task status"
default : white
description : Defines the default color to use for ansible-console
env : [ {name : ANSIBLE_COLOR_CONSOLE_PROMPT}]
ini :
- {key: console_prompt, section : colors}
version_added : "2.7"
2017-06-14 17:08:34 +02:00
COLOR_DEBUG :
2017-08-20 17:20:30 +02:00
name : Color for debug statements
2017-06-14 17:08:34 +02:00
default : dark gray
2017-08-15 22:38:59 +02:00
description : Defines the color to use when emitting debug messages
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_COLOR_DEBUG}]
ini :
- {key: debug, section : colors}
2017-08-20 17:20:30 +02:00
yaml : {key : display.colors.debug}
2017-06-14 17:08:34 +02:00
COLOR_DEPRECATE :
2017-08-20 17:20:30 +02:00
name : Color for deprecation messages
2017-06-14 17:08:34 +02:00
default : purple
2017-08-15 22:38:59 +02:00
description : Defines the color to use when emitting deprecation messages
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_COLOR_DEPRECATE}]
ini :
- {key: deprecate, section : colors}
2017-08-20 17:20:30 +02:00
yaml : {key : display.colors.deprecate}
2017-06-14 17:08:34 +02:00
COLOR_DIFF_ADD :
2017-08-20 17:20:30 +02:00
name : Color for diff added display
2017-06-14 17:08:34 +02:00
default : green
2017-08-15 22:38:59 +02:00
description : Defines the color to use when showing added lines in diffs
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_COLOR_DIFF_ADD}]
ini :
- {key: diff_add, section : colors}
2017-08-20 17:20:30 +02:00
yaml : {key : display.colors.diff.add}
2017-06-14 17:08:34 +02:00
COLOR_DIFF_LINES :
2017-08-20 17:20:30 +02:00
name : Color for diff lines display
2017-06-14 17:08:34 +02:00
default : cyan
2017-08-15 22:38:59 +02:00
description : Defines the color to use when showing diffs
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_COLOR_DIFF_LINES}]
ini :
- {key: diff_lines, section : colors}
COLOR_DIFF_REMOVE :
2017-08-20 17:20:30 +02:00
name : Color for diff removed display
2017-06-14 17:08:34 +02:00
default : red
2017-08-15 22:38:59 +02:00
description : Defines the color to use when showing removed lines in diffs
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_COLOR_DIFF_REMOVE}]
ini :
- {key: diff_remove, section : colors}
COLOR_ERROR :
2017-08-20 17:20:30 +02:00
name : Color for error messages
2017-06-14 17:08:34 +02:00
default : red
2017-08-15 22:38:59 +02:00
description : Defines the color to use when emitting error messages
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_COLOR_ERROR}]
ini :
- {key: error, section : colors}
yaml : {key : colors.error}
COLOR_HIGHLIGHT :
2017-08-20 17:20:30 +02:00
name : Color for highlighting
2017-06-14 17:08:34 +02:00
default : white
2018-02-06 15:59:47 +01:00
description : Defines the color to use for highlighting
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_COLOR_HIGHLIGHT}]
ini :
- {key: highlight, section : colors}
COLOR_OK :
2017-08-20 17:20:30 +02:00
name : Color for 'ok' task status
2017-06-14 17:08:34 +02:00
default : green
2017-08-20 17:20:30 +02:00
description : Defines the color to use when showing 'OK' task status
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_COLOR_OK}]
ini :
- {key: ok, section : colors}
COLOR_SKIP :
2017-08-20 17:20:30 +02:00
name : Color for 'skip' task status
2017-06-14 17:08:34 +02:00
default : cyan
2017-08-20 17:20:30 +02:00
description : Defines the color to use when showing 'Skipped' task status
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_COLOR_SKIP}]
ini :
- {key: skip, section : colors}
COLOR_UNREACHABLE :
2017-08-20 17:20:30 +02:00
name : Color for 'unreachable' host state
2017-06-14 17:08:34 +02:00
default : bright red
2017-08-15 22:38:59 +02:00
description : Defines the color to use on 'Unreachable' status
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_COLOR_UNREACHABLE}]
ini :
- {key: unreachable, section : colors}
COLOR_VERBOSE :
2017-08-20 17:20:30 +02:00
name : Color for verbose messages
2017-06-14 17:08:34 +02:00
default : blue
2017-08-20 17:20:30 +02:00
description : Defines the color to use when emitting verbose messages. i.e those that show with '-v's.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_COLOR_VERBOSE}]
ini :
- {key: verbose, section : colors}
COLOR_WARN :
2017-08-20 17:20:30 +02:00
name : Color for warning messages
2017-06-14 17:08:34 +02:00
default : bright purple
2017-08-15 22:38:59 +02:00
description : Defines the color to use when emitting warning messages
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_COLOR_WARN}]
ini :
- {key: warn, section : colors}
2019-03-20 02:29:59 +01:00
CONDITIONAL_BARE_VARS :
2019-01-30 21:00:24 +01:00
name : Allow bare variable evaluation in conditionals
default : True
type : boolean
description :
2019-03-20 02:29:59 +01:00
- With this setting on (True), running conditional evaluation 'var' is treated differently than 'var.subkey' as the first is evaluated
directly while the second goes through the Jinja2 parser. But 'false' strings in 'var' get evaluated as booleans.
- With this setting off they both evaluate the same but in cases in which 'var' was 'false' (a string) it won't get evaluated as a boolean anymore.
2019-01-30 21:00:24 +01:00
- Currently this setting defaults to 'True' but will soon change to 'False' and the setting itself will be removed in the future.
- Expect the default to change in version 2.10 and that this setting eventually will be deprecated after 2.12
env : [ {name : ANSIBLE_CONDITIONAL_BARE_VARS}]
ini :
- {key: conditional_bare_variables, section : defaults}
2019-02-01 15:34:14 +01:00
version_added : "2.8"
2019-08-27 23:03:23 +02:00
COVERAGE_REMOTE_OUTPUT :
name : Sets the output directory and filename prefix to generate coverage run info.
description :
- Sets the output directory on the remote host to generate coverage reports to.
- Currently only used for remote coverage on PowerShell modules.
- This is for internal use only.
env :
- {name : _ANSIBLE_COVERAGE_REMOTE_OUTPUT}
vars :
- {name : _ansible_coverage_remote_output}
type : str
version_added : '2.9'
COVERAGE_REMOTE_WHITELIST :
name : Sets the list of paths to run coverage for.
description :
- A list of paths for files on the Ansible controller to run coverage for when executing on the remote host.
- Only files that match the path glob will have its coverage collected.
- Multiple path globs can be specified and are separated by ``:``.
- Currently only used for remote coverage on PowerShell modules.
- This is for internal use only.
default : '*'
env :
- {name : _ANSIBLE_COVERAGE_REMOTE_WHITELIST}
type : str
version_added : '2.9'
2017-12-21 17:35:32 +01:00
ACTION_WARNINGS :
name : Toggle action warnings
default : True
description :
2018-06-15 05:53:41 +02:00
- By default Ansible will issue a warning when received from a task action (module or action plugin)
2017-12-21 17:35:32 +01:00
- These warnings can be silenced by adjusting this setting to False.
env : [ {name : ANSIBLE_ACTION_WARNINGS}]
ini :
- {key: action_warnings, section : defaults}
type : boolean
version_added : "2.5"
2017-06-14 17:08:34 +02:00
COMMAND_WARNINGS :
2017-08-20 17:20:30 +02:00
name : Command module warnings
2017-06-14 17:08:34 +02:00
default : True
2017-08-20 17:20:30 +02:00
description :
- By default Ansible will issue a warning when the shell or command module is used and the command appears to be similar to an existing Ansible module.
2018-02-06 15:59:47 +01:00
- These warnings can be silenced by adjusting this setting to False. You can also control this at the task level with the module option ``warn``.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_COMMAND_WARNINGS}]
ini :
- {key: command_warnings, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
2017-08-20 17:20:30 +02:00
version_added : "1.8"
2018-03-24 13:59:19 +01:00
LOCALHOST_WARNING :
name : Warning when using implicit inventory with only localhost
default : True
description :
- By default Ansible will issue a warning when there are no hosts in the
inventory.
2018-05-31 10:38:29 +02:00
- These warnings can be silenced by adjusting this setting to False.
2018-03-24 13:59:19 +01:00
env : [ {name : ANSIBLE_LOCALHOST_WARNING}]
ini :
- {key: localhost_warning, section : defaults}
type : boolean
version_added : "2.6"
2019-01-24 02:03:47 +01:00
DOC_FRAGMENT_PLUGIN_PATH :
name : documentation fragment plugins path
default : ~/.ansible/plugins/doc_fragments:/usr/share/ansible/plugins/doc_fragments
description : Colon separated paths in which Ansible will search for Documentation Fragments Plugins.
env : [ {name : ANSIBLE_DOC_FRAGMENT_PLUGINS}]
ini :
- {key: doc_fragment_plugins, section : defaults}
type : pathspec
2017-06-14 17:08:34 +02:00
DEFAULT_ACTION_PLUGIN_PATH :
2017-08-20 17:20:30 +02:00
name : Action plugins path
2017-06-14 17:08:34 +02:00
default : ~/.ansible/plugins/action:/usr/share/ansible/plugins/action
2017-08-15 22:38:59 +02:00
description : Colon separated paths in which Ansible will search for Action Plugins.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_ACTION_PLUGINS}]
ini :
- {key: action_plugins, section : defaults}
2017-08-20 17:20:30 +02:00
type : pathspec
yaml : {key : plugins.action.path}
2017-06-14 17:08:34 +02:00
DEFAULT_ALLOW_UNSAFE_LOOKUPS :
2017-08-20 17:20:30 +02:00
name : Allow unsafe lookups
2017-06-14 17:08:34 +02:00
default : False
2017-08-20 17:20:30 +02:00
description :
2017-09-13 17:09:02 +02:00
- "When enabled, this option allows lookup plugins (whether used in variables as ``{{lookup('foo')}}`` or as a loop as with_foo)
to return data that is not marked 'unsafe'."
2017-08-20 17:20:30 +02:00
- By default, such data is marked as unsafe to prevent the templating engine from evaluating any jinja2 templating language,
as this could represent a security risk. This option is provided to allow for backwards-compatibility,
however users should first consider adding allow_unsafe=True to any lookups which may be expected to contain data which may be run
through the templating engine late
2017-06-14 17:08:34 +02:00
env : [ ]
ini :
- {key: allow_unsafe_lookups, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
2017-08-20 17:20:30 +02:00
version_added : "2.2.3"
2017-06-14 17:08:34 +02:00
DEFAULT_ASK_PASS :
2017-08-20 17:20:30 +02:00
name : Ask for the login password
2017-06-14 17:08:34 +02:00
default : False
2017-08-20 17:20:30 +02:00
description :
- This controls whether an Ansible playbook should prompt for a login password.
If using SSH keys for authentication, you probably do not needed to change this setting.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_ASK_PASS}]
ini :
- {key: ask_pass, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
2017-06-14 17:08:34 +02:00
yaml : {key : defaults.ask_pass}
DEFAULT_ASK_VAULT_PASS :
2017-08-20 17:20:30 +02:00
name : Ask for the vault password(s)
2017-06-14 17:08:34 +02:00
default : False
2017-08-20 17:20:30 +02:00
description :
- This controls whether an Ansible playbook should prompt for a vault password.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_ASK_VAULT_PASS}]
ini :
- {key: ask_vault_pass, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
2017-06-14 17:08:34 +02:00
DEFAULT_BECOME :
2017-08-20 17:20:30 +02:00
name : Enable privilege escalation (become)
2017-06-14 17:08:34 +02:00
default : False
2017-08-15 22:38:59 +02:00
description : Toggles the use of privilege escalation, allowing you to 'become' another user after login.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_BECOME}]
ini :
- {key: become, section : privilege_escalation}
2017-08-15 22:38:59 +02:00
type : boolean
2017-06-14 17:08:34 +02:00
DEFAULT_BECOME_ASK_PASS :
2018-06-15 05:53:41 +02:00
name : Ask for the privilege escalation (become) password
2017-06-14 17:08:34 +02:00
default : False
2017-08-15 22:38:59 +02:00
description : Toggle to prompt for privilege escalation password.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_BECOME_ASK_PASS}]
ini :
- {key: become_ask_pass, section : privilege_escalation}
2017-08-15 22:38:59 +02:00
type : boolean
DEFAULT_BECOME_METHOD :
2017-08-20 17:20:30 +02:00
name : Choose privilege escalation method
2017-08-15 22:38:59 +02:00
default : 'sudo'
description : Privilege escalation method to use when `become` is enabled.
env : [ {name : ANSIBLE_BECOME_METHOD}]
ini :
- {section: privilege_escalation, key : become_method}
2017-06-14 17:08:34 +02:00
DEFAULT_BECOME_EXE :
2017-08-20 17:20:30 +02:00
name : Choose 'become' executable
2017-08-15 22:38:59 +02:00
default : ~
2017-09-13 17:09:02 +02:00
description : 'executable to use for privilege escalation, otherwise Ansible will depend on PATH'
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_BECOME_EXE}]
ini :
- {key: become_exe, section : privilege_escalation}
DEFAULT_BECOME_FLAGS :
2017-08-20 17:20:30 +02:00
name : Set 'become' executable options
2017-09-20 23:26:22 +02:00
default : ''
2017-08-15 22:38:59 +02:00
description : Flags to pass to the privilege escalation executable.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_BECOME_FLAGS}]
ini :
- {key: become_flags, section : privilege_escalation}
2019-03-22 23:02:47 +01:00
BECOME_PLUGIN_PATH :
Become plugins (#50991)
* [WIP] become plugins
Move from hardcoded method to plugins for ease of use, expansion and overrides
- load into connection as it is going to be the main consumer
- play_context will also use to keep backwards compat API
- ensure shell is used to construct commands when needed
- migrate settings remove from base config in favor of plugin specific configs
- cleanup ansible-doc
- add become plugin docs
- remove deprecated sudo/su code and keywords
- adjust become options for cli
- set plugin options from context
- ensure config defs are avaialbe before instance
- refactored getting the shell plugin, fixed tests
- changed into regex as they were string matching, which does not work with random string generation
- explicitly set flags for play context tests
- moved plugin loading up front
- now loads for basedir also
- allow pyc/o for non m modules
- fixes to tests and some plugins
- migrate to play objects fro play_context
- simiplify gathering
- added utf8 headers
- moved option setting
- add fail msg to dzdo
- use tuple for multiple options on fail/missing
- fix relative plugin paths
- shift from play context to play
- all tasks already inherit this from play directly
- remove obsolete 'set play'
- correct environment handling
- add wrap_exe option to pfexec
- fix runas to noop
- fixed setting play context
- added password configs
- removed required false
- remove from doc building till they are ready
future development:
- deal with 'enable' and 'runas' which are not 'command wrappers' but 'state flags' and currently hardcoded in diff subsystems
* cleanup
remove callers to removed func
removed --sudo cli doc refs
remove runas become_exe
ensure keyerorr on plugin
also fix backwards compat, missing method is attributeerror, not ansible error
get remote_user consistently
ignore missing system_tmpdirs on plugin load
correct config precedence
add deprecation
fix networking imports
backwards compat for plugins using BECOME_METHODS
* Port become_plugins to context.CLIARGS
This is a work in progress:
* Stop passing options around everywhere as we can use context.CLIARGS
instead
* Refactor make_become_commands as asked for by alikins
* Typo in comment fix
* Stop loading values from the cli in more than one place
Both play and play_context were saving default values from the cli
arguments directly. This changes things so that the default values are
loaded into the play and then play_context takes them from there.
* Rename BECOME_PLUGIN_PATH to DEFAULT_BECOME_PLUGIN_PATH
As alikins said, all other plugin paths are named
DEFAULT_plugintype_PLUGIN_PATH. If we're going to rename these, that
should be done all at one time rather than piecemeal.
* One to throw away
This is a set of hacks to get setting FieldAttribute defaults to command
line args to work. It's not fully done yet.
After talking it over with sivel and jimi-c this should be done by
fixing FieldAttributeBase and _get_parent_attribute() calls to do the
right thing when there is a non-None default.
What we want to be able to do ideally is something like this:
class Base(FieldAttributeBase):
_check_mode = FieldAttribute([..] default=lambda: context.CLIARGS['check'])
class Play(Base):
# lambda so that we have a chance to parse the command line args
# before we get here. In the future we might be able to restructure
# this so that the cli parsing code runs before these classes are
# defined.
class Task(Base):
pass
And still have a playbook like this function:
---
- hosts:
tasks:
- command: whoami
check_mode: True
(The check_mode test that is added as a separate commit in this PR will
let you test variations on this case).
There's a few separate reasons that the code doesn't let us do this or
a non-ugly workaround for this as written right now. The fix that
jimi-c, sivel, and I talked about may let us do this or it may still
require a workaround (but less ugly) (having one class that has the
FieldAttributes with default values and one class that inherits from
that but just overrides the FieldAttributes which now have defaults)
* Revert "One to throw away"
This reverts commit 23aa883cbed11429ef1be2a2d0ed18f83a3b8064.
* Set FieldAttr defaults directly from CLIARGS
* Remove dead code
* Move timeout directly to PlayContext, it's never needed on Play
* just for backwards compat, add a static version of BECOME_METHODS to constants
* Make the become attr on the connection public, since it's used outside of the connection
* Logic fix
* Nuke connection testing if it supports specific become methods
* Remove unused vars
* Address rebase issues
* Fix path encoding issue
* Remove unused import
* Various cleanups
* Restore network_cli check in _low_level_execute_command
* type improvements for cliargs_deferred_get and swap shallowcopy to default to False
* minor cleanups
* Allow the su plugin to work, since it doesn't define a prompt the same way
* Fix up ksu become plugin
* Only set prompt if build_become_command was called
* Add helper to assist connection plugins in knowing they need to wait for a prompt
* Fix tests and code expectations
* Doc updates
* Various additional minor cleanups
* Make doas functional
* Don't change connection signature, load become plugin from TaskExecutor
* Remove unused imports
* Add comment about setting the become plugin on the playcontext
* Fix up tests for recent changes
* Support 'Password:' natively for the doas plugin
* Make default prompts raw
* wording cleanups. ci_complete
* Remove unrelated changes
* Address spelling mistake
* Restore removed test, and udpate to use new functionality
* Add changelog fragment
* Don't hard fail in set_attributes_from_cli on missing CLI keys
* Remove unrelated change to loader
* Remove internal deprecated FieldAttributes now
* Emit deprecation warnings now
2019-02-11 18:27:44 +01:00
name : Become plugins path
2019-03-22 23:02:47 +01:00
default : ~/.ansible/plugins/become:/usr/share/ansible/plugins/become
Become plugins (#50991)
* [WIP] become plugins
Move from hardcoded method to plugins for ease of use, expansion and overrides
- load into connection as it is going to be the main consumer
- play_context will also use to keep backwards compat API
- ensure shell is used to construct commands when needed
- migrate settings remove from base config in favor of plugin specific configs
- cleanup ansible-doc
- add become plugin docs
- remove deprecated sudo/su code and keywords
- adjust become options for cli
- set plugin options from context
- ensure config defs are avaialbe before instance
- refactored getting the shell plugin, fixed tests
- changed into regex as they were string matching, which does not work with random string generation
- explicitly set flags for play context tests
- moved plugin loading up front
- now loads for basedir also
- allow pyc/o for non m modules
- fixes to tests and some plugins
- migrate to play objects fro play_context
- simiplify gathering
- added utf8 headers
- moved option setting
- add fail msg to dzdo
- use tuple for multiple options on fail/missing
- fix relative plugin paths
- shift from play context to play
- all tasks already inherit this from play directly
- remove obsolete 'set play'
- correct environment handling
- add wrap_exe option to pfexec
- fix runas to noop
- fixed setting play context
- added password configs
- removed required false
- remove from doc building till they are ready
future development:
- deal with 'enable' and 'runas' which are not 'command wrappers' but 'state flags' and currently hardcoded in diff subsystems
* cleanup
remove callers to removed func
removed --sudo cli doc refs
remove runas become_exe
ensure keyerorr on plugin
also fix backwards compat, missing method is attributeerror, not ansible error
get remote_user consistently
ignore missing system_tmpdirs on plugin load
correct config precedence
add deprecation
fix networking imports
backwards compat for plugins using BECOME_METHODS
* Port become_plugins to context.CLIARGS
This is a work in progress:
* Stop passing options around everywhere as we can use context.CLIARGS
instead
* Refactor make_become_commands as asked for by alikins
* Typo in comment fix
* Stop loading values from the cli in more than one place
Both play and play_context were saving default values from the cli
arguments directly. This changes things so that the default values are
loaded into the play and then play_context takes them from there.
* Rename BECOME_PLUGIN_PATH to DEFAULT_BECOME_PLUGIN_PATH
As alikins said, all other plugin paths are named
DEFAULT_plugintype_PLUGIN_PATH. If we're going to rename these, that
should be done all at one time rather than piecemeal.
* One to throw away
This is a set of hacks to get setting FieldAttribute defaults to command
line args to work. It's not fully done yet.
After talking it over with sivel and jimi-c this should be done by
fixing FieldAttributeBase and _get_parent_attribute() calls to do the
right thing when there is a non-None default.
What we want to be able to do ideally is something like this:
class Base(FieldAttributeBase):
_check_mode = FieldAttribute([..] default=lambda: context.CLIARGS['check'])
class Play(Base):
# lambda so that we have a chance to parse the command line args
# before we get here. In the future we might be able to restructure
# this so that the cli parsing code runs before these classes are
# defined.
class Task(Base):
pass
And still have a playbook like this function:
---
- hosts:
tasks:
- command: whoami
check_mode: True
(The check_mode test that is added as a separate commit in this PR will
let you test variations on this case).
There's a few separate reasons that the code doesn't let us do this or
a non-ugly workaround for this as written right now. The fix that
jimi-c, sivel, and I talked about may let us do this or it may still
require a workaround (but less ugly) (having one class that has the
FieldAttributes with default values and one class that inherits from
that but just overrides the FieldAttributes which now have defaults)
* Revert "One to throw away"
This reverts commit 23aa883cbed11429ef1be2a2d0ed18f83a3b8064.
* Set FieldAttr defaults directly from CLIARGS
* Remove dead code
* Move timeout directly to PlayContext, it's never needed on Play
* just for backwards compat, add a static version of BECOME_METHODS to constants
* Make the become attr on the connection public, since it's used outside of the connection
* Logic fix
* Nuke connection testing if it supports specific become methods
* Remove unused vars
* Address rebase issues
* Fix path encoding issue
* Remove unused import
* Various cleanups
* Restore network_cli check in _low_level_execute_command
* type improvements for cliargs_deferred_get and swap shallowcopy to default to False
* minor cleanups
* Allow the su plugin to work, since it doesn't define a prompt the same way
* Fix up ksu become plugin
* Only set prompt if build_become_command was called
* Add helper to assist connection plugins in knowing they need to wait for a prompt
* Fix tests and code expectations
* Doc updates
* Various additional minor cleanups
* Make doas functional
* Don't change connection signature, load become plugin from TaskExecutor
* Remove unused imports
* Add comment about setting the become plugin on the playcontext
* Fix up tests for recent changes
* Support 'Password:' natively for the doas plugin
* Make default prompts raw
* wording cleanups. ci_complete
* Remove unrelated changes
* Address spelling mistake
* Restore removed test, and udpate to use new functionality
* Add changelog fragment
* Don't hard fail in set_attributes_from_cli on missing CLI keys
* Remove unrelated change to loader
* Remove internal deprecated FieldAttributes now
* Emit deprecation warnings now
2019-02-11 18:27:44 +01:00
description : Colon separated paths in which Ansible will search for Become Plugins.
env : [ {name : ANSIBLE_BECOME_PLUGINS}]
ini :
- {key: become_plugins, section : defaults}
type : pathspec
2019-03-22 23:02:47 +01:00
version_added : "2.8"
2017-06-14 17:08:34 +02:00
DEFAULT_BECOME_USER :
2017-08-20 17:20:30 +02:00
# FIXME: should really be blank and make -u passing optional depending on it
2018-12-14 10:42:58 +01:00
name : Set the user you 'become' via privilege escalation
2017-06-14 17:08:34 +02:00
default : root
2017-08-20 17:20:30 +02:00
description : The user your login/remote user 'becomes' when using privilege escalation, most systems will use 'root' when no user is specified.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_BECOME_USER}]
ini :
- {key: become_user, section : privilege_escalation}
2017-08-20 17:20:30 +02:00
yaml : {key : become.user}
2017-06-14 17:08:34 +02:00
DEFAULT_CACHE_PLUGIN_PATH :
2017-08-20 17:20:30 +02:00
name : Cache Plugins Path
2017-06-14 17:08:34 +02:00
default : ~/.ansible/plugins/cache:/usr/share/ansible/plugins/cache
2017-08-20 17:20:30 +02:00
description : Colon separated paths in which Ansible will search for Cache Plugins.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_CACHE_PLUGINS}]
ini :
- {key: cache_plugins, section : defaults}
2017-08-20 17:20:30 +02:00
type : pathspec
2017-06-14 17:08:34 +02:00
DEFAULT_CALLABLE_WHITELIST :
2017-08-20 17:20:30 +02:00
name : Template 'callable' whitelist
2017-06-14 17:08:34 +02:00
default : [ ]
2017-08-20 17:20:30 +02:00
description : Whitelist of callable methods to be made available to template evaluation
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_CALLABLE_WHITELIST}]
ini :
- {key: callable_whitelist, section : defaults}
2017-08-15 22:38:59 +02:00
type : list
2017-06-14 17:08:34 +02:00
DEFAULT_CALLBACK_PLUGIN_PATH :
2017-08-20 17:20:30 +02:00
name : Callback Plugins Path
2017-06-14 17:08:34 +02:00
default : ~/.ansible/plugins/callback:/usr/share/ansible/plugins/callback
2017-08-20 17:20:30 +02:00
description : Colon separated paths in which Ansible will search for Callback Plugins.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_CALLBACK_PLUGINS}]
ini :
- {key: callback_plugins, section : defaults}
2017-08-20 17:20:30 +02:00
type : pathspec
yaml : {key : plugins.callback.path}
2017-06-14 17:08:34 +02:00
DEFAULT_CALLBACK_WHITELIST :
2017-08-20 17:20:30 +02:00
name : Callback Whitelist
2017-06-14 17:08:34 +02:00
default : [ ]
2017-08-20 17:20:30 +02:00
description :
2017-09-13 17:09:02 +02:00
- "List of whitelisted callbacks, not all callbacks need whitelisting,
but many of those shipped with Ansible do as we don't want them activated by default."
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_CALLBACK_WHITELIST}]
ini :
- {key: callback_whitelist, section : defaults}
2017-08-15 22:38:59 +02:00
type : list
2017-08-20 17:20:30 +02:00
yaml : {key : plugins.callback.whitelist}
2018-03-03 23:26:28 +01:00
DEFAULT_CLICONF_PLUGIN_PATH :
name : Cliconf Plugins Path
default : ~/.ansible/plugins/cliconf:/usr/share/ansible/plugins/cliconf
description : Colon separated paths in which Ansible will search for Cliconf Plugins.
env : [ {name : ANSIBLE_CLICONF_PLUGINS}]
ini :
- {key: cliconf_plugins, section : defaults}
type : pathspec
2017-06-14 17:08:34 +02:00
DEFAULT_CONNECTION_PLUGIN_PATH :
2017-08-20 17:20:30 +02:00
name : Connection Plugins Path
2017-06-14 17:08:34 +02:00
default : ~/.ansible/plugins/connection:/usr/share/ansible/plugins/connection
2017-08-20 17:20:30 +02:00
description : Colon separated paths in which Ansible will search for Connection Plugins.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_CONNECTION_PLUGINS}]
ini :
- {key: connection_plugins, section : defaults}
2017-08-20 17:20:30 +02:00
type : pathspec
yaml : {key : plugins.connection.path}
2017-06-14 17:08:34 +02:00
DEFAULT_DEBUG :
2017-08-20 17:20:30 +02:00
name : Debug mode
2017-06-14 17:08:34 +02:00
default : False
2018-04-25 02:30:41 +02:00
description :
- "Toggles debug output in Ansible. This is *very* verbose and can hinder
multiprocessing. Debug output can also include secret information
2018-05-31 10:38:29 +02:00
despite no_log settings being enabled, which means debug mode should not be used in
2018-04-25 02:30:41 +02:00
production."
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_DEBUG}]
ini :
- {key: debug, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
2017-06-14 17:08:34 +02:00
DEFAULT_EXECUTABLE :
2017-08-20 17:20:30 +02:00
name : Target shell executable
2017-06-14 17:08:34 +02:00
default : /bin/sh
2017-08-20 17:20:30 +02:00
description :
2017-09-13 17:09:02 +02:00
- "This indicates the command to use to spawn a shell under for Ansible's execution needs on a target.
Users may need to change this in rare instances when shell usage is constrained, but in most cases it may be left as is."
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_EXECUTABLE}]
ini :
- {key: executable, section : defaults}
DEFAULT_FACT_PATH :
2017-08-20 17:20:30 +02:00
name : local fact path
default : ~
description :
2017-09-13 17:09:02 +02:00
- "This option allows you to globally configure a custom path for 'local_facts' for the implied M(setup) task when using fact gathering."
2017-08-20 17:20:30 +02:00
- "If not set, it will fallback to the default from the M(setup) module: ``/etc/ansible/facts.d``."
2017-09-13 17:09:02 +02:00
- "This does **not** affect user defined tasks that use the M(setup) module."
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_FACT_PATH}]
ini :
- {key: fact_path, section : defaults}
2017-08-15 22:38:59 +02:00
type : path
2017-08-20 17:20:30 +02:00
yaml : {key : facts.gathering.fact_path}
2017-06-14 17:08:34 +02:00
DEFAULT_FILTER_PLUGIN_PATH :
2017-08-20 17:20:30 +02:00
name : Jinja2 Filter Plugins Path
2017-06-14 17:08:34 +02:00
default : ~/.ansible/plugins/filter:/usr/share/ansible/plugins/filter
2017-08-20 17:20:30 +02:00
description : Colon separated paths in which Ansible will search for Jinja2 Filter Plugins.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_FILTER_PLUGINS}]
ini :
- {key: filter_plugins, section : defaults}
2017-08-20 17:20:30 +02:00
type : pathspec
2017-06-14 17:08:34 +02:00
DEFAULT_FORCE_HANDLERS :
2017-08-20 17:20:30 +02:00
name : Force handlers to run after failure
2017-06-14 17:08:34 +02:00
default : False
2017-08-20 17:20:30 +02:00
description :
- This option controls if notified handlers run on a host even if a failure occurs on that host.
- When false, the handlers will not run if a failure has occurred on a host.
- This can also be set per play or on the command line. See Handlers and Failure for more details.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_FORCE_HANDLERS}]
ini :
- {key: force_handlers, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
2017-08-20 17:20:30 +02:00
version_added : "1.9.1"
2017-06-14 17:08:34 +02:00
DEFAULT_FORKS :
2017-08-20 17:20:30 +02:00
name : Number of task forks
2017-06-14 17:08:34 +02:00
default : 5
2017-08-15 22:38:59 +02:00
description : Maximum number of forks Ansible will use to execute tasks on target hosts.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_FORKS}]
ini :
- {key: forks, section : defaults}
2017-08-15 22:38:59 +02:00
type : integer
2017-06-14 17:08:34 +02:00
DEFAULT_GATHERING :
2017-08-20 17:20:30 +02:00
name : Gathering behaviour
default : 'implicit'
description :
- This setting controls the default policy of fact gathering (facts discovered about remote systems).
2017-09-13 17:09:02 +02:00
- "When 'implicit' (the default), the cache plugin will be ignored and facts will be gathered per play unless 'gather_facts: False' is set."
- "When 'explicit' the inverse is true, facts will not be gathered unless directly requested in the play."
- "The 'smart' value means each new host that has no facts discovered will be scanned,
but if the same host is addressed in multiple plays it will not be contacted again in the playbook run."
- "This option can be useful for those wishing to save fact gathering time. Both 'smart' and 'explicit' will use the cache plugin."
2017-08-20 17:20:30 +02:00
env : [ {name : ANSIBLE_GATHERING}]
ini :
- key : gathering
section : defaults
version_added : "1.6"
choices : [ 'smart' , 'explicit' , 'implicit' ]
2017-06-14 17:08:34 +02:00
DEFAULT_GATHER_SUBSET :
2017-08-20 17:20:30 +02:00
name : Gather facts subset
2018-08-23 17:36:06 +02:00
default : [ 'all' ]
2017-08-20 17:20:30 +02:00
description :
- Set the `gather_subset` option for the M(setup) task in the implicit fact gathering.
See the module documentation for specifics.
2017-09-13 17:09:02 +02:00
- "It does **not** apply to user defined M(setup) tasks."
2017-08-20 17:20:30 +02:00
env : [ {name : ANSIBLE_GATHER_SUBSET}]
ini :
- key : gather_subset
section : defaults
version_added : "2.1"
Become plugins (#50991)
* [WIP] become plugins
Move from hardcoded method to plugins for ease of use, expansion and overrides
- load into connection as it is going to be the main consumer
- play_context will also use to keep backwards compat API
- ensure shell is used to construct commands when needed
- migrate settings remove from base config in favor of plugin specific configs
- cleanup ansible-doc
- add become plugin docs
- remove deprecated sudo/su code and keywords
- adjust become options for cli
- set plugin options from context
- ensure config defs are avaialbe before instance
- refactored getting the shell plugin, fixed tests
- changed into regex as they were string matching, which does not work with random string generation
- explicitly set flags for play context tests
- moved plugin loading up front
- now loads for basedir also
- allow pyc/o for non m modules
- fixes to tests and some plugins
- migrate to play objects fro play_context
- simiplify gathering
- added utf8 headers
- moved option setting
- add fail msg to dzdo
- use tuple for multiple options on fail/missing
- fix relative plugin paths
- shift from play context to play
- all tasks already inherit this from play directly
- remove obsolete 'set play'
- correct environment handling
- add wrap_exe option to pfexec
- fix runas to noop
- fixed setting play context
- added password configs
- removed required false
- remove from doc building till they are ready
future development:
- deal with 'enable' and 'runas' which are not 'command wrappers' but 'state flags' and currently hardcoded in diff subsystems
* cleanup
remove callers to removed func
removed --sudo cli doc refs
remove runas become_exe
ensure keyerorr on plugin
also fix backwards compat, missing method is attributeerror, not ansible error
get remote_user consistently
ignore missing system_tmpdirs on plugin load
correct config precedence
add deprecation
fix networking imports
backwards compat for plugins using BECOME_METHODS
* Port become_plugins to context.CLIARGS
This is a work in progress:
* Stop passing options around everywhere as we can use context.CLIARGS
instead
* Refactor make_become_commands as asked for by alikins
* Typo in comment fix
* Stop loading values from the cli in more than one place
Both play and play_context were saving default values from the cli
arguments directly. This changes things so that the default values are
loaded into the play and then play_context takes them from there.
* Rename BECOME_PLUGIN_PATH to DEFAULT_BECOME_PLUGIN_PATH
As alikins said, all other plugin paths are named
DEFAULT_plugintype_PLUGIN_PATH. If we're going to rename these, that
should be done all at one time rather than piecemeal.
* One to throw away
This is a set of hacks to get setting FieldAttribute defaults to command
line args to work. It's not fully done yet.
After talking it over with sivel and jimi-c this should be done by
fixing FieldAttributeBase and _get_parent_attribute() calls to do the
right thing when there is a non-None default.
What we want to be able to do ideally is something like this:
class Base(FieldAttributeBase):
_check_mode = FieldAttribute([..] default=lambda: context.CLIARGS['check'])
class Play(Base):
# lambda so that we have a chance to parse the command line args
# before we get here. In the future we might be able to restructure
# this so that the cli parsing code runs before these classes are
# defined.
class Task(Base):
pass
And still have a playbook like this function:
---
- hosts:
tasks:
- command: whoami
check_mode: True
(The check_mode test that is added as a separate commit in this PR will
let you test variations on this case).
There's a few separate reasons that the code doesn't let us do this or
a non-ugly workaround for this as written right now. The fix that
jimi-c, sivel, and I talked about may let us do this or it may still
require a workaround (but less ugly) (having one class that has the
FieldAttributes with default values and one class that inherits from
that but just overrides the FieldAttributes which now have defaults)
* Revert "One to throw away"
This reverts commit 23aa883cbed11429ef1be2a2d0ed18f83a3b8064.
* Set FieldAttr defaults directly from CLIARGS
* Remove dead code
* Move timeout directly to PlayContext, it's never needed on Play
* just for backwards compat, add a static version of BECOME_METHODS to constants
* Make the become attr on the connection public, since it's used outside of the connection
* Logic fix
* Nuke connection testing if it supports specific become methods
* Remove unused vars
* Address rebase issues
* Fix path encoding issue
* Remove unused import
* Various cleanups
* Restore network_cli check in _low_level_execute_command
* type improvements for cliargs_deferred_get and swap shallowcopy to default to False
* minor cleanups
* Allow the su plugin to work, since it doesn't define a prompt the same way
* Fix up ksu become plugin
* Only set prompt if build_become_command was called
* Add helper to assist connection plugins in knowing they need to wait for a prompt
* Fix tests and code expectations
* Doc updates
* Various additional minor cleanups
* Make doas functional
* Don't change connection signature, load become plugin from TaskExecutor
* Remove unused imports
* Add comment about setting the become plugin on the playcontext
* Fix up tests for recent changes
* Support 'Password:' natively for the doas plugin
* Make default prompts raw
* wording cleanups. ci_complete
* Remove unrelated changes
* Address spelling mistake
* Restore removed test, and udpate to use new functionality
* Add changelog fragment
* Don't hard fail in set_attributes_from_cli on missing CLI keys
* Remove unrelated change to loader
* Remove internal deprecated FieldAttributes now
* Emit deprecation warnings now
2019-02-11 18:27:44 +01:00
type : list
2017-06-14 17:08:34 +02:00
DEFAULT_GATHER_TIMEOUT :
2017-08-20 17:20:30 +02:00
name : Gather facts timeout
2017-06-14 17:08:34 +02:00
default : 10
2017-08-20 17:20:30 +02:00
description :
- Set the timeout in seconds for the implicit fact gathering.
2017-09-13 17:09:02 +02:00
- "It does **not** apply to user defined M(setup) tasks."
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_GATHER_TIMEOUT}]
ini :
- {key: gather_timeout, section : defaults}
2017-08-15 22:38:59 +02:00
type : integer
2017-06-14 17:08:34 +02:00
yaml : {key : defaults.gather_timeout}
DEFAULT_HANDLER_INCLUDES_STATIC :
2017-08-20 17:20:30 +02:00
name : Make handler M(include) static
2017-06-14 17:08:34 +02:00
default : False
2017-08-20 17:20:30 +02:00
description :
2017-09-13 17:09:02 +02:00
- "Since 2.0 M(include) can be 'dynamic', this setting (if True) forces that if the include appears in a ``handlers`` section to be 'static'."
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_HANDLER_INCLUDES_STATIC}]
ini :
- {key: handler_includes_static, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
deprecated :
why : include itself is deprecated and this setting will not matter in the future
2018-11-05 18:08:13 +01:00
version : "2.12"
2017-08-15 22:38:59 +02:00
alternatives : none as its already built into the decision between include_tasks and import_tasks
2017-06-14 17:08:34 +02:00
DEFAULT_HASH_BEHAVIOUR :
2017-08-20 17:20:30 +02:00
name : Hash merge behaviour
2017-06-14 17:08:34 +02:00
default : replace
2017-08-20 17:20:30 +02:00
type : string
2017-09-13 17:09:02 +02:00
choices : [ "replace" , "merge" ]
2017-08-20 17:20:30 +02:00
description :
- This setting controls how variables merge in Ansible.
By default Ansible will override variables in specific precedence orders, as described in Variables.
When a variable of higher precedence wins, it will replace the other value.
2017-09-13 17:09:02 +02:00
- "Some users prefer that variables that are hashes (aka 'dictionaries' in Python terms) are merged.
This setting is called 'merge'. This is not the default behavior and it does not affect variables whose values are scalars
2017-08-20 17:20:30 +02:00
(integers, strings) or arrays. We generally recommend not using this setting unless you think you have an absolute need for it,
2017-09-13 17:09:02 +02:00
and playbooks in the official examples repos do not use this setting"
2017-08-20 17:20:30 +02:00
- In version 2.0 a ``combine`` filter was added to allow doing this for a particular variable (described in Filters).
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_HASH_BEHAVIOUR}]
ini :
- {key: hash_behaviour, section : defaults}
2019-10-14 17:35:11 +02:00
deprecated :
why : This feature is fragile and not portable, leading to continual confusion and misuse
version : "2.13"
alternatives : the ``combine`` filter explicitly
2017-06-14 17:08:34 +02:00
DEFAULT_HOST_LIST :
2017-08-20 17:20:30 +02:00
name : Inventory Source
2017-06-14 17:08:34 +02:00
default : /etc/ansible/hosts
2018-05-11 15:18:31 +02:00
description : Comma separated list of Ansible inventory sources
2017-08-20 17:20:30 +02:00
env :
- name : ANSIBLE_INVENTORY
2017-06-14 17:08:34 +02:00
expand_relative_paths : True
ini :
2017-08-20 17:20:30 +02:00
- key : inventory
section : defaults
2017-09-06 20:04:17 +02:00
type : pathlist
2017-06-14 17:08:34 +02:00
yaml : {key : defaults.inventory}
2018-05-18 00:47:15 +02:00
DEFAULT_HTTPAPI_PLUGIN_PATH :
name : HttpApi Plugins Path
default : ~/.ansible/plugins/httpapi:/usr/share/ansible/plugins/httpapi
description : Colon separated paths in which Ansible will search for HttpApi Plugins.
env : [ {name : ANSIBLE_HTTPAPI_PLUGINS}]
ini :
- {key: httpapi_plugins, section : defaults}
type : pathspec
2017-06-14 17:08:34 +02:00
DEFAULT_INTERNAL_POLL_INTERVAL :
2017-08-20 17:20:30 +02:00
name : Internal poll interval
2017-06-14 17:08:34 +02:00
default : 0.001
env : [ ]
ini :
- {key: internal_poll_interval, section : defaults}
2017-08-15 22:38:59 +02:00
type : float
2017-08-20 17:20:30 +02:00
version_added : "2.2"
description :
- This sets the interval (in seconds) of Ansible internal processes polling each other.
Lower values improve performance with large playbooks at the expense of extra CPU load.
Higher values are more suitable for Ansible usage in automation scenarios,
when UI responsiveness is not required but CPU usage might be a concern.
2017-09-13 17:09:02 +02:00
- "The default corresponds to the value hardcoded in Ansible <= 2.1"
2017-06-14 17:08:34 +02:00
DEFAULT_INVENTORY_PLUGIN_PATH :
2017-08-20 17:20:30 +02:00
name : Inventory Plugins Path
2017-06-14 17:08:34 +02:00
default : ~/.ansible/plugins/inventory:/usr/share/ansible/plugins/inventory
2017-08-20 17:20:30 +02:00
description : Colon separated paths in which Ansible will search for Inventory Plugins.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_INVENTORY_PLUGINS}]
ini :
- {key: inventory_plugins, section : defaults}
2017-08-20 17:20:30 +02:00
type : pathspec
2017-06-14 17:08:34 +02:00
DEFAULT_JINJA2_EXTENSIONS :
2017-08-20 17:20:30 +02:00
name : Enabled Jinja2 extensions
default : [ ]
description :
- This is a developer-specific feature that allows enabling additional Jinja2 extensions.
2017-09-13 17:09:02 +02:00
- "See the Jinja2 documentation for details. If you do not know what these do, you probably don't need to change this setting :)"
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_JINJA2_EXTENSIONS}]
ini :
- {key: jinja2_extensions, section : defaults}
2018-05-31 10:38:29 +02:00
DEFAULT_JINJA2_NATIVE :
name : Use Jinja2's NativeEnvironment for templating
default : False
description : This option preserves variable types during template operations. This requires Jinja2 >= 2.10.
env : [ {name : ANSIBLE_JINJA2_NATIVE}]
ini :
- {key: jinja2_native, section : defaults}
type : boolean
yaml : {key : jinja2_native}
version_added : 2.7
2017-06-14 17:08:34 +02:00
DEFAULT_KEEP_REMOTE_FILES :
2017-08-20 17:20:30 +02:00
name : Keep remote files
2017-06-14 17:08:34 +02:00
default : False
2019-02-12 18:49:00 +01:00
description :
- Enables/disables the cleaning up of the temporary files Ansible used to execute the tasks on the remote.
- If this option is enabled it will disable ``ANSIBLE_PIPELINING``.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_KEEP_REMOTE_FILES}]
ini :
- {key: keep_remote_files, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
2017-06-14 17:08:34 +02:00
DEFAULT_LIBVIRT_LXC_NOSECLABEL :
2017-08-20 17:20:30 +02:00
# TODO: move to plugin
name : No security label on Lxc
2017-06-14 17:08:34 +02:00
default : False
2017-08-20 17:20:30 +02:00
description :
2017-09-13 17:09:02 +02:00
- "This setting causes libvirt to connect to lxc containers by passing --noseclabel to virsh.
This is necessary when running on systems which do not have SELinux."
2019-03-26 22:43:48 +01:00
env :
- name : LIBVIRT_LXC_NOSECLABEL
deprecated :
why : environment variables without "ANSIBLE_" prefix are deprecated
version : "2.12"
alternatives : the "ANSIBLE_LIBVIRT_LXC_NOSECLABEL" environment variable
- name : ANSIBLE_LIBVIRT_LXC_NOSECLABEL
2017-06-14 17:08:34 +02:00
ini :
- {key: libvirt_lxc_noseclabel, section : selinux}
2017-08-15 22:38:59 +02:00
type : boolean
2017-08-20 17:20:30 +02:00
version_added : "2.1"
2017-06-14 17:08:34 +02:00
DEFAULT_LOAD_CALLBACK_PLUGINS :
2017-08-20 17:20:30 +02:00
name : Load callbacks for adhoc
2017-06-14 17:08:34 +02:00
default : False
2017-08-20 17:20:30 +02:00
description :
- Controls whether callback plugins are loaded when running /usr/bin/ansible.
This may be used to log activity from the command line, send notifications, and so on.
Callback plugins are always loaded for ``ansible-playbook``.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_LOAD_CALLBACK_PLUGINS}]
ini :
- {key: bin_ansible_callbacks, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
2017-08-20 17:20:30 +02:00
version_added : "1.8"
2017-06-14 17:08:34 +02:00
DEFAULT_LOCAL_TMP :
2017-08-20 17:20:30 +02:00
name : Controller temporary directory
2017-06-14 17:08:34 +02:00
default : ~/.ansible/tmp
2017-08-15 22:38:59 +02:00
description : Temporary directory for Ansible to use on the controller.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_LOCAL_TEMP}]
ini :
- {key: local_tmp, section : defaults}
2017-08-15 22:38:59 +02:00
type : tmppath
2017-06-14 17:08:34 +02:00
DEFAULT_LOG_PATH :
2017-08-20 17:20:30 +02:00
name : Ansible log file path
2018-05-31 20:40:11 +02:00
default : ~
2017-08-15 22:38:59 +02:00
description : File to which Ansible will log on the controller. When empty logging is disabled.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_LOG_PATH}]
ini :
- {key: log_path, section : defaults}
2017-08-15 22:38:59 +02:00
type : path
2018-01-31 18:10:06 +01:00
DEFAULT_LOG_FILTER :
name : Name filters for python logger
default : [ ]
description : List of logger names to filter out of the log file
env : [ {name : ANSIBLE_LOG_FILTER}]
ini :
- {key: log_filter, section : defaults}
type : list
2017-06-14 17:08:34 +02:00
DEFAULT_LOOKUP_PLUGIN_PATH :
2017-08-20 17:20:30 +02:00
name : Lookup Plugins Path
description : Colon separated paths in which Ansible will search for Lookup Plugins.
2017-06-14 17:08:34 +02:00
default : ~/.ansible/plugins/lookup:/usr/share/ansible/plugins/lookup
env : [ {name : ANSIBLE_LOOKUP_PLUGINS}]
ini :
- {key: lookup_plugins, section : defaults}
2017-08-20 17:20:30 +02:00
type : pathspec
2017-06-14 17:08:34 +02:00
yaml : {key : defaults.lookup_plugins}
DEFAULT_MANAGED_STR :
2017-08-20 17:20:30 +02:00
name : Ansible managed
default : 'Ansible managed'
2018-04-20 21:32:00 +02:00
description : Sets the macro for the 'ansible_managed' variable available for M(template) and M(win_template) modules. This is only relevant for those two modules.
2017-06-14 17:08:34 +02:00
env : [ ]
ini :
- {key: ansible_managed, section : defaults}
yaml : {key : defaults.ansible_managed}
DEFAULT_MODULE_ARGS :
2017-08-20 17:20:30 +02:00
name : Adhoc default arguments
2017-06-14 17:08:34 +02:00
default : ''
2017-08-20 17:20:30 +02:00
description :
- This sets the default arguments to pass to the ``ansible`` adhoc binary if no ``-a`` is specified.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_MODULE_ARGS}]
ini :
- {key: module_args, section : defaults}
DEFAULT_MODULE_COMPRESSION :
2017-08-20 17:20:30 +02:00
name : Python module compression
2017-06-14 17:08:34 +02:00
default : ZIP_DEFLATED
2018-06-15 05:53:41 +02:00
description : Compression scheme to use when transferring Python modules to the target.
2017-06-14 17:08:34 +02:00
env : [ ]
ini :
- {key: module_compression, section : defaults}
2017-08-20 17:20:30 +02:00
# vars:
# - name: ansible_module_compression
2017-06-14 17:08:34 +02:00
DEFAULT_MODULE_NAME :
2017-08-20 17:20:30 +02:00
name : Default adhoc module
2017-06-14 17:08:34 +02:00
default : command
2017-09-13 17:09:02 +02:00
description : "Module to use with the ``ansible`` AdHoc command, if none is specified via ``-m``."
2017-06-14 17:08:34 +02:00
env : [ ]
ini :
- {key: module_name, section : defaults}
DEFAULT_MODULE_PATH :
2017-08-20 17:20:30 +02:00
name : Modules Path
description : Colon separated paths in which Ansible will search for Modules.
2017-06-14 17:08:34 +02:00
default : ~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules
env : [ {name : ANSIBLE_LIBRARY}]
ini :
- {key: library, section : defaults}
2017-08-20 17:20:30 +02:00
type : pathspec
2017-06-14 17:08:34 +02:00
DEFAULT_MODULE_UTILS_PATH :
2017-08-20 17:20:30 +02:00
name : Module Utils Path
description : Colon separated paths in which Ansible will search for Module utils files, which are shared by modules.
2017-06-14 17:08:34 +02:00
default : ~/.ansible/plugins/module_utils:/usr/share/ansible/plugins/module_utils
env : [ {name : ANSIBLE_MODULE_UTILS}]
ini :
- {key: module_utils, section : defaults}
2017-08-20 17:20:30 +02:00
type : pathspec
2018-03-03 23:26:28 +01:00
DEFAULT_NETCONF_PLUGIN_PATH :
name : Netconf Plugins Path
default : ~/.ansible/plugins/netconf:/usr/share/ansible/plugins/netconf
description : Colon separated paths in which Ansible will search for Netconf Plugins.
env : [ {name : ANSIBLE_NETCONF_PLUGINS}]
ini :
2018-03-04 01:29:33 +01:00
- {key: netconf_plugins, section : defaults}
2018-03-03 23:26:28 +01:00
type : pathspec
2017-06-14 17:08:34 +02:00
DEFAULT_NO_LOG :
2017-08-20 17:20:30 +02:00
name : No log
2017-06-14 17:08:34 +02:00
default : False
2017-09-13 17:09:02 +02:00
description : "Toggle Ansible's display and logging of task details, mainly used to avoid security disclosures."
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_NO_LOG}]
ini :
- {key: no_log, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
2017-06-14 17:08:34 +02:00
DEFAULT_NO_TARGET_SYSLOG :
2017-08-20 17:20:30 +02:00
name : No syslog on target
2017-06-14 17:08:34 +02:00
default : False
2017-12-29 01:51:43 +01:00
description : Toggle Ansible logging to syslog on the target when it executes tasks.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_NO_TARGET_SYSLOG}]
ini :
- {key: no_target_syslog, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
2017-06-14 17:08:34 +02:00
yaml : {key : defaults.no_target_syslog}
DEFAULT_NULL_REPRESENTATION :
2017-08-20 17:20:30 +02:00
name : Represent a null
default : ~
description : What templating should return as a 'null' value. When not set it will let Jinja2 decide.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_NULL_REPRESENTATION}]
ini :
- {key: null_representation, section : defaults}
2017-08-15 22:38:59 +02:00
type : none
2017-06-14 17:08:34 +02:00
DEFAULT_POLL_INTERVAL :
2017-08-20 17:20:30 +02:00
name : Async poll interval
2017-06-14 17:08:34 +02:00
default : 15
2017-08-20 17:20:30 +02:00
description :
- For asynchronous tasks in Ansible (covered in Asynchronous Actions and Polling),
this is how often to check back on the status of those tasks when an explicit poll interval is not supplied.
The default is a reasonably moderate 15 seconds which is a tradeoff between checking in frequently and
providing a quick turnaround when something may have completed.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_POLL_INTERVAL}]
ini :
- {key: poll_interval, section : defaults}
2017-08-15 22:38:59 +02:00
type : integer
2017-06-14 17:08:34 +02:00
DEFAULT_PRIVATE_KEY_FILE :
2017-08-20 17:20:30 +02:00
name : Private key file
default : ~
description :
- Option for connections using a certificate or key file to authenticate, rather than an agent or passwords,
you can set the default value here to avoid re-specifying --private-key with every invocation.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_PRIVATE_KEY_FILE}]
ini :
- {key: private_key_file, section : defaults}
2017-08-15 22:38:59 +02:00
type : path
2017-06-14 17:08:34 +02:00
DEFAULT_PRIVATE_ROLE_VARS :
2017-08-20 17:20:30 +02:00
name : Private role variables
2017-06-14 17:08:34 +02:00
default : False
2018-02-06 15:59:47 +01:00
description :
- Makes role variables inaccessible from other roles.
- This was introduced as a way to reset role variables to default values if
a role is used more than once in a playbook.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_PRIVATE_ROLE_VARS}]
ini :
- {key: private_role_vars, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
2017-06-14 17:08:34 +02:00
yaml : {key : defaults.private_role_vars}
DEFAULT_REMOTE_PORT :
2017-08-20 17:20:30 +02:00
name : Remote port
default : ~
2017-08-15 22:38:59 +02:00
description : Port to use in remote connections, when blank it will use the connection plugin default.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_REMOTE_PORT}]
ini :
- {key: remote_port, section : defaults}
2017-08-15 22:38:59 +02:00
type : integer
2017-06-14 17:08:34 +02:00
yaml : {key : defaults.remote_port}
DEFAULT_REMOTE_USER :
2017-08-20 17:20:30 +02:00
name : Login/Remote User
2017-07-18 03:23:38 +02:00
default :
2017-08-15 22:38:59 +02:00
description :
- Sets the login user for the target machines
2017-09-13 17:09:02 +02:00
- "When blank it uses the connection plugin's default, normally the user currently executing Ansible."
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_REMOTE_USER}]
ini :
- {key: remote_user, section : defaults}
DEFAULT_ROLES_PATH :
2017-08-20 17:20:30 +02:00
name : Roles path
2017-06-14 17:08:34 +02:00
default : ~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles
2017-08-20 17:20:30 +02:00
description : Colon separated paths in which Ansible will search for Roles.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_ROLES_PATH}]
expand_relative_paths : True
ini :
- {key: roles_path, section : defaults}
2017-08-20 17:20:30 +02:00
type : pathspec
2017-06-14 17:08:34 +02:00
yaml : {key : defaults.roles_path}
DEFAULT_SCP_IF_SSH :
2017-08-20 17:20:30 +02:00
# TODO: move to ssh plugin
2017-06-14 17:08:34 +02:00
default : smart
2017-08-15 22:38:59 +02:00
description :
2018-06-15 05:53:41 +02:00
- "Preferred method to use when transferring files over ssh."
2018-06-07 08:37:53 +02:00
- When set to smart, Ansible will try them until one succeeds or they all fail.
- If set to True, it will force 'scp', if False it will use 'sftp'.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_SCP_IF_SSH}]
ini :
- {key: scp_if_ssh, section : ssh_connection}
DEFAULT_SELINUX_SPECIAL_FS :
2017-08-20 17:20:30 +02:00
name : Problematic file systems
2019-08-12 20:45:27 +02:00
default : fuse, nfs, vboxsf, ramfs, 9p, vfat
2017-08-15 22:38:59 +02:00
description :
- "Some filesystems do not support safe operations and/or return inconsistent errors,
this setting makes Ansible 'tolerate' those in the list w/o causing fatal errors."
- Data corruption may occur and writes are not always verified when a filesystem is in the list.
2019-08-12 20:45:27 +02:00
env :
- name : ANSIBLE_SELINUX_SPECIAL_FS
version_added : "2.9"
2017-06-14 17:08:34 +02:00
ini :
- {key: special_context_filesystems, section : selinux}
2017-08-15 22:38:59 +02:00
type : list
2017-06-14 17:08:34 +02:00
DEFAULT_SFTP_BATCH_MODE :
2017-08-20 17:20:30 +02:00
# TODO: move to ssh plugin
2017-06-14 17:08:34 +02:00
default : True
2017-08-15 22:38:59 +02:00
description: 'TODO : write it'
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_SFTP_BATCH_MODE}]
ini :
- {key: sftp_batch_mode, section : ssh_connection}
2017-08-15 22:38:59 +02:00
type : boolean
2017-06-14 17:08:34 +02:00
yaml : {key : ssh_connection.sftp_batch_mode}
DEFAULT_SQUASH_ACTIONS :
2017-08-20 17:20:30 +02:00
name : Squashable actions
2018-06-12 01:58:13 +02:00
default : apk, apt, dnf, homebrew, openbsd_pkg, pacman, pip, pkgng, yum, zypper
2017-08-15 22:38:59 +02:00
description :
2017-09-13 17:09:02 +02:00
- Ansible can optimise actions that call modules that support list parameters when using ``with_`` looping.
2017-08-15 22:38:59 +02:00
Instead of calling the module once for each item, the module is called once with the full list.
2018-06-07 08:37:53 +02:00
- The default value for this setting is only for certain package managers, but it can be used for any module.
2017-08-15 22:38:59 +02:00
- Currently, this is only supported for modules that have a name or pkg parameter, and only when the item is the only thing being passed to the parameter.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_SQUASH_ACTIONS}]
ini :
- {key: squash_actions, section : defaults}
2017-08-15 22:38:59 +02:00
type : list
version_added : "2.0"
2018-05-30 19:05:03 +02:00
deprecated :
why : Loop squashing is deprecated and this configuration will no longer be used
version : "2.11"
alternatives : a list directly with the module argument
2017-06-14 17:08:34 +02:00
DEFAULT_SSH_TRANSFER_METHOD :
2017-08-20 17:20:30 +02:00
# TODO: move to ssh plugin
2017-07-18 03:23:38 +02:00
default :
2017-08-15 22:38:59 +02:00
description : 'unused?'
2018-06-15 05:53:41 +02:00
# - "Preferred method to use when transferring files over ssh"
2017-08-15 22:38:59 +02:00
# - Setting to smart will try them until one succeeds or they all fail
#choices: ['sftp', 'scp', 'dd', 'smart']
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_SSH_TRANSFER_METHOD}]
ini :
- {key: transfer_method, section : ssh_connection}
DEFAULT_STDOUT_CALLBACK :
2017-08-20 17:20:30 +02:00
name : Main display callback plugin
2017-06-14 17:08:34 +02:00
default : default
2017-08-15 22:38:59 +02:00
description :
- "Set the main callback used to display Ansible output, you can only have one at a time."
- You can have many other callbacks, but just one can be in charge of stdout.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_STDOUT_CALLBACK}]
ini :
- {key: stdout_callback, section : defaults}
Provide a way to explicitly invoke the debugger (#34006)
* Provide a way to explicitly invoke the debugger with in the debug strategy
* Merge the debugger strategy into StrategyBase
* Fix some logic, pin to a single result
* Make redo also continue
* Make sure that if the debug closure doesn't need to process the result, that we still return it
* Fix failing tests for the strategy
* Clean up messages from debugger and exit code to match bin/ansible
* Move the FieldAttribute higher, to apply at different levels
* make debugger a string, expand logic
* Better host state rollbacks
* More explicit debugger prompt
* ENABLE_TASK_DEBUGGER should be boolean, and better docs
* No bare except, add pprint, alias h, vars to task_vars
* _validate_debugger can ignore non-string, that can be caught later
* Address issue if there were no previous tasks/state, and use the correct key
* Update docs for changes to the debugger
* Guard against a stat going negative through use of decrement
* Add a few notes about using the debugger on the free strategy
* Add changelog entry for task debugger
* Add a few versionadded indicators and a note about vars -> task_vars
2018-01-09 20:50:07 +01:00
ENABLE_TASK_DEBUGGER :
name : Whether to enable the task debugger
default : False
description :
- Whether or not to enable the task debugger, this previously was done as a strategy plugin.
- Now all strategy plugins can inherit this behavior. The debugger defaults to activating when
- a task is failed on unreachable. Use the debugger keyword for more flexibility.
type : boolean
env : [ {name : ANSIBLE_ENABLE_TASK_DEBUGGER}]
ini :
- {key: enable_task_debugger, section : defaults}
version_added : "2.5"
2018-05-31 17:14:26 +02:00
TASK_DEBUGGER_IGNORE_ERRORS :
name : Whether a failed task with ignore_errors=True will still invoke the debugger
default : True
description :
- This option defines whether the task debugger will be invoked on a failed task when ignore_errors=True
is specified.
2018-06-15 05:53:41 +02:00
- True specifies that the debugger will honor ignore_errors, False will not honor ignore_errors.
2018-05-31 17:14:26 +02:00
type : boolean
env : [ {name : ANSIBLE_TASK_DEBUGGER_IGNORE_ERRORS}]
ini :
- {key: task_debugger_ignore_errors, section : defaults}
version_added : "2.7"
2017-06-14 17:08:34 +02:00
DEFAULT_STRATEGY :
2017-08-20 17:20:30 +02:00
name : Implied strategy
2017-08-15 22:38:59 +02:00
default : 'linear'
description : Set the default strategy used for plays.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_STRATEGY}]
ini :
- {key: strategy, section : defaults}
2017-08-15 22:38:59 +02:00
version_added : "2.3"
2017-06-14 17:08:34 +02:00
DEFAULT_STRATEGY_PLUGIN_PATH :
2017-08-20 17:20:30 +02:00
name : Strategy Plugins Path
description : Colon separated paths in which Ansible will search for Strategy Plugins.
2017-06-14 17:08:34 +02:00
default : ~/.ansible/plugins/strategy:/usr/share/ansible/plugins/strategy
env : [ {name : ANSIBLE_STRATEGY_PLUGINS}]
ini :
- {key: strategy_plugins, section : defaults}
2017-08-20 17:20:30 +02:00
type : pathspec
2017-06-14 17:08:34 +02:00
DEFAULT_SU :
default : False
2017-08-15 22:38:59 +02:00
description : 'Toggle the use of "su" for tasks.'
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_SU}]
ini :
- {key: su, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
2017-06-14 17:08:34 +02:00
yaml : {key : defaults.su}
DEFAULT_SYSLOG_FACILITY :
2017-08-20 17:20:30 +02:00
name : syslog facility
2017-06-14 17:08:34 +02:00
default : LOG_USER
2017-08-20 17:20:30 +02:00
description : Syslog facility to use when Ansible logs to the remote target
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_SYSLOG_FACILITY}]
ini :
- {key: syslog_facility, section : defaults}
DEFAULT_TASK_INCLUDES_STATIC :
2017-08-20 17:20:30 +02:00
name : Task include static
2017-06-14 17:08:34 +02:00
default : False
2017-08-20 17:20:30 +02:00
description :
- The `include` tasks can be static or dynamic, this toggles the default expected behaviour if autodetection fails and it is not explicitly set in task.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_TASK_INCLUDES_STATIC}]
ini :
- {key: task_includes_static, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
2017-08-20 17:20:30 +02:00
version_added : "2.1"
2017-08-15 22:38:59 +02:00
deprecated :
why : include itself is deprecated and this setting will not matter in the future
2018-11-05 18:08:13 +01:00
version : "2.12"
2017-08-15 22:38:59 +02:00
alternatives : None, as its already built into the decision between include_tasks and import_tasks
2018-03-04 04:54:34 +01:00
DEFAULT_TERMINAL_PLUGIN_PATH :
name : Terminal Plugins Path
default : ~/.ansible/plugins/terminal:/usr/share/ansible/plugins/terminal
description : Colon separated paths in which Ansible will search for Terminal Plugins.
env : [ {name : ANSIBLE_TERMINAL_PLUGINS}]
ini :
- {key: terminal_plugins, section : defaults}
type : pathspec
2017-06-14 17:08:34 +02:00
DEFAULT_TEST_PLUGIN_PATH :
2017-08-20 17:20:30 +02:00
name : Jinja2 Test Plugins Path
description : Colon separated paths in which Ansible will search for Jinja2 Test Plugins.
2017-06-14 17:08:34 +02:00
default : ~/.ansible/plugins/test:/usr/share/ansible/plugins/test
env : [ {name : ANSIBLE_TEST_PLUGINS}]
ini :
- {key: test_plugins, section : defaults}
2017-08-20 17:20:30 +02:00
type : pathspec
2017-06-14 17:08:34 +02:00
DEFAULT_TIMEOUT :
2017-08-20 17:20:30 +02:00
name : Connection timeout
2017-06-14 17:08:34 +02:00
default : 10
2017-08-20 17:20:30 +02:00
description : This is the default timeout for connection plugins to use.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_TIMEOUT}]
ini :
- {key: timeout, section : defaults}
2017-08-15 22:38:59 +02:00
type : integer
2017-06-14 17:08:34 +02:00
DEFAULT_TRANSPORT :
2017-08-20 17:20:30 +02:00
name : Connection plugin
2017-06-14 17:08:34 +02:00
default : smart
2017-08-15 22:38:59 +02:00
description : "Default connection plugin to use, the 'smart' option will toggle between 'ssh' and 'paramiko' depending on controller OS and ssh versions"
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_TRANSPORT}]
ini :
- {key: transport, section : defaults}
DEFAULT_UNDEFINED_VAR_BEHAVIOR :
2017-08-20 17:20:30 +02:00
name : Jinja2 fail on undefined
2017-06-14 17:08:34 +02:00
default : True
2017-08-20 17:20:30 +02:00
version_added : "1.3"
description :
- When True, this causes ansible templating to fail steps that reference variable names that are likely typoed.
2017-09-13 17:09:02 +02:00
- "Otherwise, any '{{ template_expression }}' that contains undefined variables will be rendered in a template or ansible action line exactly as written."
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_ERROR_ON_UNDEFINED_VARS}]
ini :
- {key: error_on_undefined_vars, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
2017-06-14 17:08:34 +02:00
DEFAULT_VARS_PLUGIN_PATH :
2017-08-20 17:20:30 +02:00
name : Vars Plugins Path
2017-06-14 17:08:34 +02:00
default : ~/.ansible/plugins/vars:/usr/share/ansible/plugins/vars
2017-08-20 17:20:30 +02:00
description : Colon separated paths in which Ansible will search for Vars Plugins.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_VARS_PLUGINS}]
ini :
- {key: vars_plugins, section : defaults}
2017-08-20 17:20:30 +02:00
type : pathspec
# TODO: unused?
#DEFAULT_VAR_COMPRESSION_LEVEL:
# default: 0
# description: 'TODO: write it'
# env: [{name: ANSIBLE_VAR_COMPRESSION_LEVEL}]
# ini:
# - {key: var_compression_level, section: defaults}
# type: integer
# yaml: {key: defaults.var_compression_level}
Support multiple vault passwords (#22756)
Fixes #13243
** Add --vault-id to name/identify multiple vault passwords
Use --vault-id to indicate id and path/type
--vault-id=prompt # prompt for default vault id password
--vault-id=myorg@prompt # prompt for a vault_id named 'myorg'
--vault-id=a_password_file # load ./a_password_file for default id
--vault-id=myorg@a_password_file # load file for 'myorg' vault id
vault_id's are created implicitly for existing --vault-password-file
and --ask-vault-pass options.
Vault ids are just for UX purposes and bookkeeping. Only the vault
payload and the password bytestring is needed to decrypt a
vault blob.
Replace passing password around everywhere with
a VaultSecrets object.
If we specify a vault_id, mention that in password prompts
Specifying multiple -vault-password-files will
now try each until one works
** Rev vault format in a backwards compatible way
The 1.2 vault format adds the vault_id to the header line
of the vault text. This is backwards compatible with older
versions of ansible. Old versions will just ignore it and
treat it as the default (and only) vault id.
Note: only 2.4+ supports multiple vault passwords, so while
earlier ansible versions can read the vault-1.2 format, it
does not make them magically support multiple vault passwords.
use 1.1 format for 'default' vault_id
Vaulted items that need to include a vault_id will be
written in 1.2 format.
If we set a new DEFAULT_VAULT_IDENTITY, then the default will
use version 1.2
vault will only use a vault_id if one is specified. So if none
is specified and C.DEFAULT_VAULT_IDENTITY is 'default'
we use the old format.
** Changes/refactors needed to implement multiple vault passwords
raise exceptions on decrypt fail, check vault id early
split out parsing the vault plaintext envelope (with the
sha/original plaintext) to _split_plaintext_envelope()
some cli fixups for specifying multiple paths in
the unfrack_paths optparse callback
fix py3 dict.keys() 'dict_keys object is not indexable' error
pluralize cli.options.vault_password_file -> vault_password_files
pluralize cli.options.new_vault_password_file -> new_vault_password_files
pluralize cli.options.vault_id -> cli.options.vault_ids
** Add a config option (vault_id_match) to force vault id matching.
With 'vault_id_match=True' and an ansible
vault that provides a vault_id, then decryption will require
that a matching vault_id is required. (via
--vault-id=my_vault_id@password_file, for ex).
In other words, if the config option is true, then only
the vault secrets with matching vault ids are candidates for
decrypting a vault. If option is false (the default), then
all of the provided vault secrets will be selected.
If a user doesn't want all vault secrets to be tried to
decrypt any vault content, they can enable this option.
Note: The vault id used for the match is not encrypted or
cryptographically signed. It is just a label/id/nickname used
for referencing a specific vault secret.
2017-07-28 21:20:58 +02:00
DEFAULT_VAULT_ID_MATCH :
2017-08-20 17:20:30 +02:00
name : Force vault id match
Support multiple vault passwords (#22756)
Fixes #13243
** Add --vault-id to name/identify multiple vault passwords
Use --vault-id to indicate id and path/type
--vault-id=prompt # prompt for default vault id password
--vault-id=myorg@prompt # prompt for a vault_id named 'myorg'
--vault-id=a_password_file # load ./a_password_file for default id
--vault-id=myorg@a_password_file # load file for 'myorg' vault id
vault_id's are created implicitly for existing --vault-password-file
and --ask-vault-pass options.
Vault ids are just for UX purposes and bookkeeping. Only the vault
payload and the password bytestring is needed to decrypt a
vault blob.
Replace passing password around everywhere with
a VaultSecrets object.
If we specify a vault_id, mention that in password prompts
Specifying multiple -vault-password-files will
now try each until one works
** Rev vault format in a backwards compatible way
The 1.2 vault format adds the vault_id to the header line
of the vault text. This is backwards compatible with older
versions of ansible. Old versions will just ignore it and
treat it as the default (and only) vault id.
Note: only 2.4+ supports multiple vault passwords, so while
earlier ansible versions can read the vault-1.2 format, it
does not make them magically support multiple vault passwords.
use 1.1 format for 'default' vault_id
Vaulted items that need to include a vault_id will be
written in 1.2 format.
If we set a new DEFAULT_VAULT_IDENTITY, then the default will
use version 1.2
vault will only use a vault_id if one is specified. So if none
is specified and C.DEFAULT_VAULT_IDENTITY is 'default'
we use the old format.
** Changes/refactors needed to implement multiple vault passwords
raise exceptions on decrypt fail, check vault id early
split out parsing the vault plaintext envelope (with the
sha/original plaintext) to _split_plaintext_envelope()
some cli fixups for specifying multiple paths in
the unfrack_paths optparse callback
fix py3 dict.keys() 'dict_keys object is not indexable' error
pluralize cli.options.vault_password_file -> vault_password_files
pluralize cli.options.new_vault_password_file -> new_vault_password_files
pluralize cli.options.vault_id -> cli.options.vault_ids
** Add a config option (vault_id_match) to force vault id matching.
With 'vault_id_match=True' and an ansible
vault that provides a vault_id, then decryption will require
that a matching vault_id is required. (via
--vault-id=my_vault_id@password_file, for ex).
In other words, if the config option is true, then only
the vault secrets with matching vault ids are candidates for
decrypting a vault. If option is false (the default), then
all of the provided vault secrets will be selected.
If a user doesn't want all vault secrets to be tried to
decrypt any vault content, they can enable this option.
Note: The vault id used for the match is not encrypted or
cryptographically signed. It is just a label/id/nickname used
for referencing a specific vault secret.
2017-07-28 21:20:58 +02:00
default : False
2017-08-31 17:12:48 +02:00
description : 'If true, decrypting vaults with a vault id will only try the password from the matching vault-id'
Support multiple vault passwords (#22756)
Fixes #13243
** Add --vault-id to name/identify multiple vault passwords
Use --vault-id to indicate id and path/type
--vault-id=prompt # prompt for default vault id password
--vault-id=myorg@prompt # prompt for a vault_id named 'myorg'
--vault-id=a_password_file # load ./a_password_file for default id
--vault-id=myorg@a_password_file # load file for 'myorg' vault id
vault_id's are created implicitly for existing --vault-password-file
and --ask-vault-pass options.
Vault ids are just for UX purposes and bookkeeping. Only the vault
payload and the password bytestring is needed to decrypt a
vault blob.
Replace passing password around everywhere with
a VaultSecrets object.
If we specify a vault_id, mention that in password prompts
Specifying multiple -vault-password-files will
now try each until one works
** Rev vault format in a backwards compatible way
The 1.2 vault format adds the vault_id to the header line
of the vault text. This is backwards compatible with older
versions of ansible. Old versions will just ignore it and
treat it as the default (and only) vault id.
Note: only 2.4+ supports multiple vault passwords, so while
earlier ansible versions can read the vault-1.2 format, it
does not make them magically support multiple vault passwords.
use 1.1 format for 'default' vault_id
Vaulted items that need to include a vault_id will be
written in 1.2 format.
If we set a new DEFAULT_VAULT_IDENTITY, then the default will
use version 1.2
vault will only use a vault_id if one is specified. So if none
is specified and C.DEFAULT_VAULT_IDENTITY is 'default'
we use the old format.
** Changes/refactors needed to implement multiple vault passwords
raise exceptions on decrypt fail, check vault id early
split out parsing the vault plaintext envelope (with the
sha/original plaintext) to _split_plaintext_envelope()
some cli fixups for specifying multiple paths in
the unfrack_paths optparse callback
fix py3 dict.keys() 'dict_keys object is not indexable' error
pluralize cli.options.vault_password_file -> vault_password_files
pluralize cli.options.new_vault_password_file -> new_vault_password_files
pluralize cli.options.vault_id -> cli.options.vault_ids
** Add a config option (vault_id_match) to force vault id matching.
With 'vault_id_match=True' and an ansible
vault that provides a vault_id, then decryption will require
that a matching vault_id is required. (via
--vault-id=my_vault_id@password_file, for ex).
In other words, if the config option is true, then only
the vault secrets with matching vault ids are candidates for
decrypting a vault. If option is false (the default), then
all of the provided vault secrets will be selected.
If a user doesn't want all vault secrets to be tried to
decrypt any vault content, they can enable this option.
Note: The vault id used for the match is not encrypted or
cryptographically signed. It is just a label/id/nickname used
for referencing a specific vault secret.
2017-07-28 21:20:58 +02:00
env : [ {name : ANSIBLE_VAULT_ID_MATCH}]
ini :
- {key: vault_id_match, section : defaults}
yaml : {key : defaults.vault_id_match}
DEFAULT_VAULT_IDENTITY :
2017-08-20 17:20:30 +02:00
name : Vault id label
Support multiple vault passwords (#22756)
Fixes #13243
** Add --vault-id to name/identify multiple vault passwords
Use --vault-id to indicate id and path/type
--vault-id=prompt # prompt for default vault id password
--vault-id=myorg@prompt # prompt for a vault_id named 'myorg'
--vault-id=a_password_file # load ./a_password_file for default id
--vault-id=myorg@a_password_file # load file for 'myorg' vault id
vault_id's are created implicitly for existing --vault-password-file
and --ask-vault-pass options.
Vault ids are just for UX purposes and bookkeeping. Only the vault
payload and the password bytestring is needed to decrypt a
vault blob.
Replace passing password around everywhere with
a VaultSecrets object.
If we specify a vault_id, mention that in password prompts
Specifying multiple -vault-password-files will
now try each until one works
** Rev vault format in a backwards compatible way
The 1.2 vault format adds the vault_id to the header line
of the vault text. This is backwards compatible with older
versions of ansible. Old versions will just ignore it and
treat it as the default (and only) vault id.
Note: only 2.4+ supports multiple vault passwords, so while
earlier ansible versions can read the vault-1.2 format, it
does not make them magically support multiple vault passwords.
use 1.1 format for 'default' vault_id
Vaulted items that need to include a vault_id will be
written in 1.2 format.
If we set a new DEFAULT_VAULT_IDENTITY, then the default will
use version 1.2
vault will only use a vault_id if one is specified. So if none
is specified and C.DEFAULT_VAULT_IDENTITY is 'default'
we use the old format.
** Changes/refactors needed to implement multiple vault passwords
raise exceptions on decrypt fail, check vault id early
split out parsing the vault plaintext envelope (with the
sha/original plaintext) to _split_plaintext_envelope()
some cli fixups for specifying multiple paths in
the unfrack_paths optparse callback
fix py3 dict.keys() 'dict_keys object is not indexable' error
pluralize cli.options.vault_password_file -> vault_password_files
pluralize cli.options.new_vault_password_file -> new_vault_password_files
pluralize cli.options.vault_id -> cli.options.vault_ids
** Add a config option (vault_id_match) to force vault id matching.
With 'vault_id_match=True' and an ansible
vault that provides a vault_id, then decryption will require
that a matching vault_id is required. (via
--vault-id=my_vault_id@password_file, for ex).
In other words, if the config option is true, then only
the vault secrets with matching vault ids are candidates for
decrypting a vault. If option is false (the default), then
all of the provided vault secrets will be selected.
If a user doesn't want all vault secrets to be tried to
decrypt any vault content, they can enable this option.
Note: The vault id used for the match is not encrypted or
cryptographically signed. It is just a label/id/nickname used
for referencing a specific vault secret.
2017-07-28 21:20:58 +02:00
default : default
2017-08-31 17:12:48 +02:00
description : 'The label to use for the default vault id label in cases where a vault id label is not provided'
Support multiple vault passwords (#22756)
Fixes #13243
** Add --vault-id to name/identify multiple vault passwords
Use --vault-id to indicate id and path/type
--vault-id=prompt # prompt for default vault id password
--vault-id=myorg@prompt # prompt for a vault_id named 'myorg'
--vault-id=a_password_file # load ./a_password_file for default id
--vault-id=myorg@a_password_file # load file for 'myorg' vault id
vault_id's are created implicitly for existing --vault-password-file
and --ask-vault-pass options.
Vault ids are just for UX purposes and bookkeeping. Only the vault
payload and the password bytestring is needed to decrypt a
vault blob.
Replace passing password around everywhere with
a VaultSecrets object.
If we specify a vault_id, mention that in password prompts
Specifying multiple -vault-password-files will
now try each until one works
** Rev vault format in a backwards compatible way
The 1.2 vault format adds the vault_id to the header line
of the vault text. This is backwards compatible with older
versions of ansible. Old versions will just ignore it and
treat it as the default (and only) vault id.
Note: only 2.4+ supports multiple vault passwords, so while
earlier ansible versions can read the vault-1.2 format, it
does not make them magically support multiple vault passwords.
use 1.1 format for 'default' vault_id
Vaulted items that need to include a vault_id will be
written in 1.2 format.
If we set a new DEFAULT_VAULT_IDENTITY, then the default will
use version 1.2
vault will only use a vault_id if one is specified. So if none
is specified and C.DEFAULT_VAULT_IDENTITY is 'default'
we use the old format.
** Changes/refactors needed to implement multiple vault passwords
raise exceptions on decrypt fail, check vault id early
split out parsing the vault plaintext envelope (with the
sha/original plaintext) to _split_plaintext_envelope()
some cli fixups for specifying multiple paths in
the unfrack_paths optparse callback
fix py3 dict.keys() 'dict_keys object is not indexable' error
pluralize cli.options.vault_password_file -> vault_password_files
pluralize cli.options.new_vault_password_file -> new_vault_password_files
pluralize cli.options.vault_id -> cli.options.vault_ids
** Add a config option (vault_id_match) to force vault id matching.
With 'vault_id_match=True' and an ansible
vault that provides a vault_id, then decryption will require
that a matching vault_id is required. (via
--vault-id=my_vault_id@password_file, for ex).
In other words, if the config option is true, then only
the vault secrets with matching vault ids are candidates for
decrypting a vault. If option is false (the default), then
all of the provided vault secrets will be selected.
If a user doesn't want all vault secrets to be tried to
decrypt any vault content, they can enable this option.
Note: The vault id used for the match is not encrypted or
cryptographically signed. It is just a label/id/nickname used
for referencing a specific vault secret.
2017-07-28 21:20:58 +02:00
env : [ {name : ANSIBLE_VAULT_IDENTITY}]
ini :
- {key: vault_identity, section : defaults}
yaml : {key : defaults.vault_identity}
2018-01-22 23:12:10 +01:00
DEFAULT_VAULT_ENCRYPT_IDENTITY :
name : Vault id to use for encryption
default :
description : 'The vault_id to use for encrypting by default. If multiple vault_ids are provided, this specifies which to use for encryption. The --encrypt-vault-id cli option overrides the configured value.'
env : [ {name : ANSIBLE_VAULT_ENCRYPT_IDENTITY}]
ini :
- {key: vault_encrypt_identity, section : defaults}
yaml : {key : defaults.vault_encrypt_identity}
2017-08-15 17:56:17 +02:00
DEFAULT_VAULT_IDENTITY_LIST :
2017-08-20 17:20:30 +02:00
name : Default vault ids
2017-08-15 17:56:17 +02:00
default : [ ]
2017-08-31 17:12:48 +02:00
description : 'A list of vault-ids to use by default. Equivalent to multiple --vault-id args. Vault-ids are tried in order.'
2017-08-15 17:56:17 +02:00
env : [ {name : ANSIBLE_VAULT_IDENTITY_LIST}]
ini :
- {key: vault_identity_list, section : defaults}
2017-08-28 16:13:14 +02:00
type : list
2017-08-15 17:56:17 +02:00
yaml : {key : defaults.vault_identity_list}
2017-06-14 17:08:34 +02:00
DEFAULT_VAULT_PASSWORD_FILE :
2017-08-20 17:20:30 +02:00
name : Vault password file
2017-08-15 22:38:59 +02:00
default : ~
2017-08-31 17:12:48 +02:00
description : 'The vault password file to use. Equivalent to --vault-password-file or --vault-id'
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_VAULT_PASSWORD_FILE}]
ini :
- {key: vault_password_file, section : defaults}
2017-08-15 22:38:59 +02:00
type : path
2017-06-14 17:08:34 +02:00
yaml : {key : defaults.vault_password_file}
DEFAULT_VERBOSITY :
2017-08-20 17:20:30 +02:00
name : Verbosity
2017-06-14 17:08:34 +02:00
default : 0
2017-08-20 17:20:30 +02:00
description : Sets the default verbosity, equivalent to the number of ``-v`` passed in the command line.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_VERBOSITY}]
ini :
- {key: verbosity, section : defaults}
2017-08-15 22:38:59 +02:00
type : integer
2017-06-14 17:08:34 +02:00
DEPRECATION_WARNINGS :
2017-08-20 17:20:30 +02:00
name : Deprecation messages
2017-06-14 17:08:34 +02:00
default : True
2017-08-15 22:38:59 +02:00
description : "Toggle to control the showing of deprecation warnings"
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_DEPRECATION_WARNINGS}]
ini :
- {key: deprecation_warnings, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
2017-06-14 17:08:34 +02:00
DIFF_ALWAYS :
2017-08-20 17:20:30 +02:00
name : Show differences
2017-06-14 17:08:34 +02:00
default : False
2017-08-20 17:20:30 +02:00
description : Configuration toggle to tell modules to show differences when in 'changed' status, equivalent to ``--diff``.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_DIFF_ALWAYS}]
ini :
- {key: always, section : diff}
2017-08-15 22:38:59 +02:00
type : bool
2017-06-14 17:08:34 +02:00
DIFF_CONTEXT :
2017-08-20 17:20:30 +02:00
name : Difference context
2017-06-14 17:08:34 +02:00
default : 3
2017-08-20 17:20:30 +02:00
description : How many lines of context to show when displaying the differences between files.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_DIFF_CONTEXT}]
ini :
- {key: context, section : diff}
2017-08-15 22:38:59 +02:00
type : integer
2017-06-14 17:08:34 +02:00
DISPLAY_ARGS_TO_STDOUT :
2017-08-20 17:20:30 +02:00
name : Show task arguments
2017-06-14 17:08:34 +02:00
default : False
2017-08-20 17:20:30 +02:00
description :
- "Normally ``ansible-playbook`` will print a header for each task that is run.
These headers will contain the name : field from the task if you specified one.
2017-09-13 17:09:02 +02:00
If you didn't then ``ansible-playbook`` uses the task's action to help you tell which task is presently running.
2017-08-20 17:20:30 +02:00
Sometimes you run many of the same action and so you want more information about the task to differentiate it from others of the same action.
2017-09-13 17:09:02 +02:00
If you set this variable to True in the config then ``ansible-playbook`` will also include the task's arguments in the header."
- "This setting defaults to False because there is a chance that you have sensitive values in your parameters and
you do not want those to be printed."
- "If you set this to True you should be sure that you have secured your environment's stdout
(no one can shoulder surf your screen and you aren't saving stdout to an insecure file) or
2018-06-15 05:53:41 +02:00
made sure that all of your playbooks explicitly added the ``no_log : True `` parameter to tasks which have sensitive values
2017-08-20 17:20:30 +02:00
See How do I keep secret data in my playbook? for more information."
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_DISPLAY_ARGS_TO_STDOUT}]
ini :
- {key: display_args_to_stdout, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
2017-08-20 17:20:30 +02:00
version_added : "2.1"
2017-06-14 17:08:34 +02:00
DISPLAY_SKIPPED_HOSTS :
2017-08-20 17:20:30 +02:00
name : Show skipped results
2017-06-14 17:08:34 +02:00
default : True
2017-08-20 17:20:30 +02:00
description : "Toggle to control displaying skipped task/host entries in a task in the default callback"
2019-03-26 22:43:48 +01:00
env :
- name : DISPLAY_SKIPPED_HOSTS
deprecated :
why : environment variables without "ANSIBLE_" prefix are deprecated
version : "2.12"
alternatives : the "ANSIBLE_DISPLAY_SKIPPED_HOSTS" environment variable
- name : ANSIBLE_DISPLAY_SKIPPED_HOSTS
2017-06-14 17:08:34 +02:00
ini :
- {key: display_skipped_hosts, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
2019-02-28 08:52:02 +01:00
DOCSITE_ROOT_URL :
name : Root docsite URL
default : https://docs.ansible.com/ansible/
description : Root docsite URL used to generate docs URLs in warning/error text;
must be an absolute URL with valid scheme and trailing slash.
ini :
- {key: docsite_root_url, section : defaults}
version_added : "2.8"
2019-05-28 17:57:16 +02:00
DUPLICATE_YAML_DICT_KEY :
name : Controls ansible behaviour when finding duplicate keys in YAML.
default : warn
2019-05-23 15:42:44 +02:00
description :
- By default Ansible will issue a warning when a duplicate dict key is encountered in YAML.
- These warnings can be silenced by adjusting this setting to False.
2019-05-28 17:57:16 +02:00
env : [ {name : ANSIBLE_DUPLICATE_YAML_DICT_KEY}]
2019-05-23 15:42:44 +02:00
ini :
2019-05-28 17:57:16 +02:00
- {key: duplicate_dict_key, section : defaults}
type : string
choices : [ 'warn' , 'error' , 'ignore' ]
2019-05-23 15:42:44 +02:00
version_added : "2.9"
2017-06-14 17:08:34 +02:00
ERROR_ON_MISSING_HANDLER :
2017-08-20 17:20:30 +02:00
name : Missing handler error
2017-06-14 17:08:34 +02:00
default : True
2017-08-15 22:38:59 +02:00
description : "Toggle to allow missing handlers to become a warning instead of an error when notifying."
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_ERROR_ON_MISSING_HANDLER}]
ini :
- {key: error_on_missing_handler, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
2019-03-08 19:08:37 +01:00
CONNECTION_FACTS_MODULES :
name : Map of connections to fact modules
default :
eos : eos_facts
frr : frr_facts
ios : ios_facts
iosxr : iosxr_facts
junos : junos_facts
nxos : nxos_facts
vyos : vyos_facts
2019-10-22 14:57:11 +02:00
exos : exos_facts
slxos : slxos_facts
voss : voss_facts
ironware : ironware_facts
2019-03-08 19:08:37 +01:00
description : "Which modules to run during a play's fact gathering stage based on connection"
env : [ {name : ANSIBLE_CONNECTION_FACTS_MODULES}]
ini :
- {key: connection_facts_modules, section : defaults}
type : dict
FACTS_MODULES :
name : Gather Facts Modules
default :
- smart
description : "Which modules to run during a play's fact gathering stage, using the default of 'smart' will try to figure it out based on connection type."
env : [ {name : ANSIBLE_FACTS_MODULES}]
ini :
- {key: facts_modules, section : defaults}
type : list
vars :
- name : ansible_facts_modules
2017-06-14 17:08:34 +02:00
GALAXY_IGNORE_CERTS :
2017-08-20 17:20:30 +02:00
name : Galaxy validate certs
2017-06-14 17:08:34 +02:00
default : False
2017-08-20 17:20:30 +02:00
description :
- If set to yes, ansible-galaxy will not validate TLS certificates.
This can be useful for testing against a server with a self-signed certificate.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_GALAXY_IGNORE}]
ini :
- {key: ignore_certs, section : galaxy}
2017-08-15 22:38:59 +02:00
type : boolean
2017-06-14 17:08:34 +02:00
GALAXY_ROLE_SKELETON :
2019-07-09 21:47:25 +02:00
name : Galaxy role or collection skeleton directory
2017-07-18 03:23:38 +02:00
default :
2019-07-09 21:47:25 +02:00
description : Role or collection skeleton directory to use as a template for the ``init`` action in ``ansible-galaxy``, same as ``--role-skeleton``.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_GALAXY_ROLE_SKELETON}]
ini :
- {key: role_skeleton, section : galaxy}
2017-08-15 22:38:59 +02:00
type : path
2017-06-14 17:08:34 +02:00
GALAXY_ROLE_SKELETON_IGNORE :
2017-08-20 17:20:30 +02:00
name : Galaxy skeleton ignore
2017-09-13 17:09:02 +02:00
default : [ "^.git$" , "^.*/.git_keep$" ]
2019-07-09 21:47:25 +02:00
description : patterns of files to ignore inside a Galaxy role or collection skeleton directory
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_GALAXY_ROLE_SKELETON_IGNORE}]
ini :
- {key: role_skeleton_ignore, section : galaxy}
2017-08-15 22:38:59 +02:00
type : list
2017-08-20 17:20:30 +02:00
# TODO: unused?
#GALAXY_SCMS:
# name: Galaxy SCMS
# default: git, hg
# description: Available galaxy source control management systems.
# env: [{name: ANSIBLE_GALAXY_SCMS}]
# ini:
# - {key: scms, section: galaxy}
# type: list
2017-06-14 17:08:34 +02:00
GALAXY_SERVER :
default : https://galaxy.ansible.com
2017-08-15 22:38:59 +02:00
description : "URL to prepend when roles don't specify the full URI, assume they are referencing this server as the source."
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_GALAXY_SERVER}]
ini :
- {key: server, section : galaxy}
yaml : {key : galaxy.server}
2019-08-20 23:49:05 +02:00
GALAXY_SERVER_LIST :
description :
- A list of Galaxy servers to use when installing a collection.
- The value corresponds to the config ini header ``[galaxy_server.{{item}}]`` which defines the server details.
- 'See :ref:`galaxy_server_config` for more details on how to define a Galaxy server.'
- The order of servers in this list is used to as the order in which a collection is resolved.
- Setting this config option will ignore the :ref:`galaxy_server` config option.
env : [ {name : ANSIBLE_GALAXY_SERVER_LIST}]
ini :
- {key: server_list, section : galaxy}
type : list
version_added : "2.9"
2018-01-16 16:37:50 +01:00
GALAXY_TOKEN :
default : null
2018-01-24 12:36:40 +01:00
description : "GitHub personal access token"
2018-01-16 16:37:50 +01:00
env : [ {name : ANSIBLE_GALAXY_TOKEN}]
ini :
- {key: token, section : galaxy}
yaml : {key : galaxy.token}
2019-08-14 01:47:40 +02:00
GALAXY_TOKEN_PATH :
default : ~/.ansible/galaxy_token
description : "Local path to galaxy access token file"
env : [ {name : ANSIBLE_GALAXY_TOKEN_PATH}]
ini :
- {key: token_path, section : galaxy}
type : path
2019-08-20 23:49:05 +02:00
version_added : "2.9"
2019-09-13 03:06:18 +02:00
GALAXY_DISPLAY_PROGRESS :
default : ~
description :
- Some steps in ``ansible-galaxy`` display a progress wheel which can cause issues on certain displays or when
outputing the stdout to a file.
- This config option controls whether the display wheel is shown or not.
- The default is to show the display wheel if stdout has a tty.
env : [ {name : ANSIBLE_GALAXY_DISPLAY_PROGRESS}]
ini :
- {key: display_progress, section : galaxy}
type : bool
version_added : "2.10"
2017-06-14 17:08:34 +02:00
HOST_KEY_CHECKING :
2017-08-20 17:20:30 +02:00
name : Check host keys
2017-06-14 17:08:34 +02:00
default : True
2017-08-15 22:38:59 +02:00
description : 'Set this to "False" if you want to avoid host key checking by the underlying tools Ansible uses to connect to the host'
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_HOST_KEY_CHECKING}]
ini :
- {key: host_key_checking, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
2019-01-25 22:00:28 +01:00
HOST_PATTERN_MISMATCH :
name : Control host pattern mismatch behaviour
default : 'warning'
description : This setting changes the behaviour of mismatched host patterns, it allows you to force a fatal error, a warning or just ignore it
env : [ {name : ANSIBLE_HOST_PATTERN_MISMATCH}]
ini :
- {key: host_pattern_mismatch, section : inventory}
choices : [ 'warning' , 'error' , 'ignore' ]
version_added : "2.8"
2019-02-28 08:52:02 +01:00
INTERPRETER_PYTHON :
name : Python interpreter path (or automatic discovery behavior) used for module execution
default : auto_legacy
env : [ {name : ANSIBLE_PYTHON_INTERPRETER}]
ini :
- {key: interpreter_python, section : defaults}
vars :
- {name : ansible_python_interpreter}
version_added : "2.8"
description :
- Path to the Python interpreter to be used for module execution on remote targets, or an automatic discovery mode.
Supported discovery modes are ``auto``, ``auto_silent``, and ``auto_legacy`` (the default). All discovery modes
employ a lookup table to use the included system Python (on distributions known to include one), falling back to a
fixed ordered list of well-known Python interpreter locations if a platform-specific default is not available. The
fallback behavior will issue a warning that the interpreter should be set explicitly (since interpreters installed
later may change which one is used). This warning behavior can be disabled by setting ``auto_silent``. The default
value of ``auto_legacy`` provides all the same behavior, but for backwards-compatibility with older Ansible releases
that always defaulted to ``/usr/bin/python``, will use that interpreter if present (and issue a warning that the
default behavior will change to that of ``auto`` in a future Ansible release.
INTERPRETER_PYTHON_DISTRO_MAP :
name : Mapping of known included platform pythons for various Linux distros
default :
centos : &rhelish
'6' : /usr/bin/python
'8' : /usr/libexec/platform-python
2019-11-14 20:52:13 +01:00
debian :
'10' : /usr/bin/python3
2019-02-28 08:52:02 +01:00
fedora :
'23' : /usr/bin/python3
redhat : *rhelish
rhel : *rhelish
ubuntu :
'14' : /usr/bin/python
'16' : /usr/bin/python3
version_added : "2.8"
# FUTURE: add inventory override once we're sure it can't be abused by a rogue target
# FUTURE: add a platform layer to the map so we could use for, eg, freebsd/macos/etc?
INTERPRETER_PYTHON_FALLBACK :
name : Ordered list of Python interpreters to check for in discovery
default :
- /usr/bin/python
- python3.7
- python3.6
- python3.5
- python2.7
- python2.6
- /usr/libexec/platform-python
- /usr/bin/python3
- python
# FUTURE: add inventory override once we're sure it can't be abused by a rogue target
version_added : "2.8"
2019-03-06 17:49:40 +01:00
TRANSFORM_INVALID_GROUP_CHARS :
name : Transform invalid characters in group names
2019-03-11 20:12:14 +01:00
default : 'never'
2019-03-06 17:49:40 +01:00
description :
- Make ansible transform invalid characters in group names supplied by inventory sources.
2019-03-11 20:12:14 +01:00
- If 'never' it will allow for the group name but warn about the issue.
2019-08-08 19:50:20 +02:00
- When 'ignore', it does the same as 'never', without issuing a warning.
2019-11-08 22:13:13 +01:00
- When 'always' it will replace any invalid characters with '_' (underscore) and warn the user
2019-08-08 19:50:20 +02:00
- When 'silently', it does the same as 'always', without issuing a warning.
2019-03-06 17:49:40 +01:00
env : [ {name : ANSIBLE_TRANSFORM_INVALID_GROUP_CHARS}]
ini :
- {key: force_valid_group_names, section : defaults}
2019-03-11 20:12:14 +01:00
type : string
2019-08-08 19:50:20 +02:00
choices : [ 'always' , 'never' , 'ignore' , 'silently' ]
2019-03-06 17:49:40 +01:00
version_added : '2.8'
2018-07-08 20:11:39 +02:00
INVALID_TASK_ATTRIBUTE_FAILED :
name : Controls whether invalid attributes for a task result in errors instead of warnings
2018-08-16 23:30:47 +02:00
default : True
description : If 'false', invalid attributes for a task will result in warnings instead of errors
2018-07-08 20:11:39 +02:00
type : boolean
env :
- name : ANSIBLE_INVALID_TASK_ATTRIBUTE_FAILED
ini :
- key : invalid_task_attribute_failed
section : defaults
version_added : "2.7"
Introduce inventory.any_unparsed_is_failed configuration setting (#41171)
In the process of building up the inventory by parsing each inventory
source with each available inventory plugin, there are three kinds of
possible errors (listed in order from earliest to latest):
1. One source could not be parsed by a particular plugin.
2. One source could not be parsed by any available plugin.
3. ALL sources could not be parsed by any available plugin.
The errors in (1) are a part of normal operation, e.g., the script
plugin is expected to fail to parse an ini-format source, and we will
ignore that error and try the next plugin. There is currently no way to
control this, and no known compelling use-case for a setting to control
it. This commit does not make any changes here.
We implement "any_unparsed_is_failed" to handle (2) above. If enabled,
this requires that every available source be parsed validly by at least
one plugin. In an inventory comprising a static hosts file and ec2.py,
this setting will cause a fatal error if ec2.py fails (a situation that
attracted only a warning earlier).
We clarify that the existing "unparsed_is_failed=true" setting causes a
fatal error only in (3) above, i.e., if NO inventory source could be
parsed. In other words, if there is ANY valid source in the inventory
(e.g., an ini-format static file), no combination of errors and the
setting will cause a fatal error.
If you want to execute your playbooks when your inventory is…
(a) complete, use "any_unparsed_is_failed=true".
(b) not empty, use "unparsed_is_failed=true".
The "unparsed_is_failed" setting should be renamed to
"all_unparsed_is_failed", but this commit does not do so.
Fixes #40512
Fixes #40996
2018-06-06 05:58:58 +02:00
INVENTORY_ANY_UNPARSED_IS_FAILED :
name : Controls whether any unparseable inventory source is a fatal error
default : False
description : >
If 'true', it is a fatal error when any given inventory source
cannot be successfully parsed by any available inventory plugin;
otherwise, this situation only attracts a warning.
type : boolean
env : [ {name : ANSIBLE_INVENTORY_ANY_UNPARSED_IS_FAILED}]
ini :
- {key: any_unparsed_is_failed, section : inventory}
version_added : "2.7"
2018-12-05 23:09:49 +01:00
INVENTORY_CACHE_ENABLED :
name : Inventory caching enabled
default : False
description : Toggle to turn on inventory caching
env : [ {name : ANSIBLE_INVENTORY_CACHE}]
ini :
- {key: cache, section : inventory}
type : bool
INVENTORY_CACHE_PLUGIN :
name : Inventory cache plugin
description : The plugin for caching inventory. If INVENTORY_CACHE_PLUGIN is not provided CACHE_PLUGIN can be used instead.
env : [ {name : ANSIBLE_INVENTORY_CACHE_PLUGIN}]
ini :
- {key: cache_plugin, section : inventory}
INVENTORY_CACHE_PLUGIN_CONNECTION :
name : Inventory cache plugin URI to override the defaults section
description : The inventory cache connection. If INVENTORY_CACHE_PLUGIN_CONNECTION is not provided CACHE_PLUGIN_CONNECTION can be used instead.
env : [ {name : ANSIBLE_INVENTORY_CACHE_CONNECTION}]
ini :
- {key: cache_connection, section : inventory}
INVENTORY_CACHE_PLUGIN_PREFIX :
name : Inventory cache plugin table prefix
description : The table prefix for the cache plugin. If INVENTORY_CACHE_PLUGIN_PREFIX is not provided CACHE_PLUGIN_PREFIX can be used instead.
env : [ {name : ANSIBLE_INVENTORY_CACHE_PLUGIN_PREFIX}]
default : ansible_facts
ini :
- {key: cache_prefix, section : inventory}
INVENTORY_CACHE_TIMEOUT :
name : Inventory cache plugin expiration timeout
description : Expiration timeout for the inventory cache plugin data. If INVENTORY_CACHE_TIMEOUT is not provided CACHE_TIMEOUT can be used instead.
default : 3600
env : [ {name : ANSIBLE_INVENTORY_CACHE_TIMEOUT}]
ini :
- {key: cache_timeout, section : inventory}
2017-06-14 17:08:34 +02:00
INVENTORY_ENABLED :
2017-08-20 17:20:30 +02:00
name : Active Inventory plugins
2018-12-11 21:17:05 +01:00
default : [ 'host_list' , 'script' , 'auto' , 'yaml' , 'ini' , 'toml' ]
2017-08-15 22:38:59 +02:00
description : List of enabled inventory plugins, it also determines the order in which they are used.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_INVENTORY_ENABLED}]
ini :
2017-08-28 23:17:19 +02:00
- {key: enable_plugins, section : inventory}
2017-08-15 22:38:59 +02:00
type : list
2018-02-14 21:45:15 +01:00
INVENTORY_EXPORT :
name : Set ansible-inventory into export mode
default : False
description : Controls if ansible-inventory will accurately reflect Ansible's view into inventory or its optimized for exporting.
env : [ {name : ANSIBLE_INVENTORY_EXPORT}]
ini :
- {key: export, section : inventory}
type : bool
2017-06-14 17:08:34 +02:00
INVENTORY_IGNORE_EXTS :
2017-08-20 17:20:30 +02:00
name : Inventory ignore extensions
2018-10-31 21:04:29 +01:00
default : "{{(BLACKLIST_EXTS + ( '.orig', '.ini', '.cfg', '.retry'))}}"
2017-08-15 22:38:59 +02:00
description : List of extensions to ignore when using a directory as an inventory source
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_INVENTORY_IGNORE}]
ini :
- {key: inventory_ignore_extensions, section : defaults}
2017-08-28 23:17:19 +02:00
- {key: ignore_extensions, section : inventory}
2017-08-15 22:38:59 +02:00
type : list
2017-06-14 17:08:34 +02:00
INVENTORY_IGNORE_PATTERNS :
2017-08-20 17:20:30 +02:00
name : Inventory ignore patterns
2017-06-14 17:08:34 +02:00
default : [ ]
2017-08-15 22:38:59 +02:00
description : List of patterns to ignore when using a directory as an inventory source
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_INVENTORY_IGNORE_REGEX}]
ini :
- {key: inventory_ignore_patterns, section : defaults}
2017-08-28 23:17:19 +02:00
- {key: ignore_patterns, section : inventory}
2017-08-15 22:38:59 +02:00
type : list
2017-08-28 23:17:19 +02:00
INVENTORY_UNPARSED_IS_FAILED :
2017-08-20 17:20:30 +02:00
name : Unparsed Inventory failure
2017-08-28 23:17:19 +02:00
default : False
Introduce inventory.any_unparsed_is_failed configuration setting (#41171)
In the process of building up the inventory by parsing each inventory
source with each available inventory plugin, there are three kinds of
possible errors (listed in order from earliest to latest):
1. One source could not be parsed by a particular plugin.
2. One source could not be parsed by any available plugin.
3. ALL sources could not be parsed by any available plugin.
The errors in (1) are a part of normal operation, e.g., the script
plugin is expected to fail to parse an ini-format source, and we will
ignore that error and try the next plugin. There is currently no way to
control this, and no known compelling use-case for a setting to control
it. This commit does not make any changes here.
We implement "any_unparsed_is_failed" to handle (2) above. If enabled,
this requires that every available source be parsed validly by at least
one plugin. In an inventory comprising a static hosts file and ec2.py,
this setting will cause a fatal error if ec2.py fails (a situation that
attracted only a warning earlier).
We clarify that the existing "unparsed_is_failed=true" setting causes a
fatal error only in (3) above, i.e., if NO inventory source could be
parsed. In other words, if there is ANY valid source in the inventory
(e.g., an ini-format static file), no combination of errors and the
setting will cause a fatal error.
If you want to execute your playbooks when your inventory is…
(a) complete, use "any_unparsed_is_failed=true".
(b) not empty, use "unparsed_is_failed=true".
The "unparsed_is_failed" setting should be renamed to
"all_unparsed_is_failed", but this commit does not do so.
Fixes #40512
Fixes #40996
2018-06-06 05:58:58 +02:00
description : >
If 'true' it is a fatal error if every single potential inventory
source fails to parse, otherwise this situation will only attract a
warning.
2017-08-28 23:17:19 +02:00
env : [ {name : ANSIBLE_INVENTORY_UNPARSED_FAILED}]
ini :
- {key: unparsed_is_failed, section : inventory}
2017-08-20 17:20:30 +02:00
type : bool
2017-06-14 17:08:34 +02:00
MAX_FILE_SIZE_FOR_DIFF :
2018-06-15 05:53:41 +02:00
name : Diff maximum file size
2017-06-14 17:08:34 +02:00
default : 104448
2017-08-15 22:38:59 +02:00
description : Maximum size of files to be considered for diff display
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_MAX_DIFF_SIZE}]
ini :
- {key: max_diff_size, section : defaults}
2017-08-20 17:20:30 +02:00
type : int
2017-06-14 17:08:34 +02:00
NETWORK_GROUP_MODULES :
2017-08-20 17:20:30 +02:00
name : Network module families
2019-10-21 19:31:26 +02:00
default : [ eos, nxos, ios, iosxr, junos, enos, ce, vyos, sros, dellos9, dellos10, dellos6, asa, aruba, aireos, bigip, ironware, onyx, netconf, exos, voss, slxos]
2017-08-15 22:38:59 +02:00
description: 'TODO : write it'
2019-03-26 22:43:48 +01:00
env :
- name : NETWORK_GROUP_MODULES
deprecated :
why : environment variables without "ANSIBLE_" prefix are deprecated
version : "2.12"
alternatives : the "ANSIBLE_NETWORK_GROUP_MODULES" environment variable
- name : ANSIBLE_NETWORK_GROUP_MODULES
2017-06-14 17:08:34 +02:00
ini :
- {key: network_group_modules, section : defaults}
2017-08-15 22:38:59 +02:00
type : list
2017-06-14 17:08:34 +02:00
yaml : {key : defaults.network_group_modules}
2017-10-29 05:33:02 +01:00
INJECT_FACTS_AS_VARS :
default : True
description :
- Facts are available inside the `ansible_facts` variable, this setting also pushes them as their own vars in the main namespace.
- Unlike inside the `ansible_facts` dictionary, these will have an `ansible_` prefix.
env : [ {name : ANSIBLE_INJECT_FACT_VARS}]
ini :
- {key: inject_facts_as_vars, section : defaults}
type : boolean
version_added : "2.5"
2019-03-12 21:19:56 +01:00
OLD_PLUGIN_CACHE_CLEARING :
description : Previouslly Ansible would only clear some of the plugin loading caches when loading new roles, this led to some behaviours in which a plugin loaded in prevoius plays would be unexpectedly 'sticky'. This setting allows to return to that behaviour.
env : [ {name : ANSIBLE_OLD_PLUGIN_CACHE_CLEAR}]
ini :
- {key: old_plugin_cache_clear, section : defaults}
type : boolean
default : False
version_added : "2.8"
2017-06-14 17:08:34 +02:00
PARAMIKO_HOST_KEY_AUTO_ADD :
2017-08-20 17:20:30 +02:00
# TODO: move to plugin
2017-06-14 17:08:34 +02:00
default : False
2017-08-15 22:38:59 +02:00
description: 'TODO : write it'
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_PARAMIKO_HOST_KEY_AUTO_ADD}]
ini :
- {key: host_key_auto_add, section : paramiko_connection}
2017-08-15 22:38:59 +02:00
type : boolean
2017-06-14 17:08:34 +02:00
PARAMIKO_LOOK_FOR_KEYS :
2017-11-16 19:49:57 +01:00
name : look for keys
2017-06-14 17:08:34 +02:00
default : True
2017-08-15 22:38:59 +02:00
description: 'TODO : write it'
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_PARAMIKO_LOOK_FOR_KEYS}]
ini :
- {key: look_for_keys, section : paramiko_connection}
2017-08-15 22:38:59 +02:00
type : boolean
2017-06-15 12:14:43 +02:00
PERSISTENT_CONTROL_PATH_DIR :
2017-08-20 17:20:30 +02:00
name : Persistence socket path
2017-06-15 12:14:43 +02:00
default : ~/.ansible/pc
2017-08-20 17:20:30 +02:00
description : Path to socket to be used by the connection persistence system.
2017-06-15 12:14:43 +02:00
env : [ {name : ANSIBLE_PERSISTENT_CONTROL_PATH_DIR}]
ini :
- {key: control_path_dir, section : persistent_connection}
2017-08-20 17:20:30 +02:00
type : path
2017-06-14 17:08:34 +02:00
PERSISTENT_CONNECT_TIMEOUT :
2017-08-20 17:20:30 +02:00
name : Persistence timeout
2017-06-14 17:08:34 +02:00
default : 30
2017-08-16 16:55:39 +02:00
description : This controls how long the persistent connection will remain idle before it is destroyed.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_PERSISTENT_CONNECT_TIMEOUT}]
ini :
- {key: connect_timeout, section : persistent_connection}
2017-08-15 22:38:59 +02:00
type : integer
2017-08-01 19:45:45 +02:00
PERSISTENT_CONNECT_RETRY_TIMEOUT :
2017-08-20 17:20:30 +02:00
name : Persistence connection retry timeout
2017-08-01 19:45:45 +02:00
default : 15
2019-09-30 21:31:35 +02:00
description : This controls the retry timeout for persistent connection to connect to the local domain socket.
2017-08-01 19:45:45 +02:00
env : [ {name : ANSIBLE_PERSISTENT_CONNECT_RETRY_TIMEOUT}]
ini :
- {key: connect_retry_timeout, section : persistent_connection}
2017-08-16 16:55:39 +02:00
type : integer
2017-08-01 19:45:45 +02:00
PERSISTENT_COMMAND_TIMEOUT :
2017-08-20 17:20:30 +02:00
name : Persistence command timeout
2019-01-21 06:20:52 +01:00
default : 30
2019-09-30 21:31:35 +02:00
description : This controls the amount of time to wait for response from remote device before timing out persistent connection.
2017-08-01 19:45:45 +02:00
env : [ {name : ANSIBLE_PERSISTENT_COMMAND_TIMEOUT}]
ini :
- {key: command_timeout, section : persistent_connection}
2017-08-20 17:20:30 +02:00
type : int
2019-10-09 02:34:15 +02:00
PLAYBOOK_DIR :
name : playbook dir override for non-playbook CLIs (ala --playbook-dir)
version_added : "2.9"
description :
- A number of non-playbook CLIs have a ``--playbook-dir`` argument; this sets the default value for it.
env : [ {name : ANSIBLE_PLAYBOOK_DIR}]
ini : [ {key: playbook_dir, section : defaults}]
type : path
2017-10-02 18:13:18 +02:00
PLAYBOOK_VARS_ROOT :
name : playbook vars files root
default : top
version_added : "2.4.1"
description :
- This sets which playbook dirs will be used as a root to process vars plugins, which includes finding host_vars/group_vars
- The ``top`` option follows the traditional behaviour of using the top playbook in the chain to find the root directory.
- The ``bottom`` option follows the 2.4.0 behaviour of using the current playbook to find the root directory.
- The ``all`` option examines from the first parent to the current playbook.
env : [ {name : ANSIBLE_PLAYBOOK_VARS_ROOT}]
ini :
- {key: playbook_vars_root, section : defaults}
choices : [ top, bottom, all ]
2018-01-16 07:35:01 +01:00
PLUGIN_FILTERS_CFG :
name : Config file for limiting valid plugins
default : null
version_added : "2.5.0"
description :
2018-01-23 01:58:43 +01:00
- "A path to configuration for filtering which plugins installed on the system are allowed to be used."
2018-04-20 09:24:47 +02:00
- "See :ref:`plugin_filtering_config` for details of the filter file's format."
2018-01-16 07:35:01 +01:00
- " The default is /etc/ansible/plugin_filters.yml"
ini :
- key : plugin_filters_cfg
section : default
2018-09-24 21:34:59 +02:00
deprecated :
why : Specifying "plugin_filters_cfg" under the "default" section is deprecated
version : "2.12"
alternatives : the "defaults" section instead
- key : plugin_filters_cfg
section : defaults
type : path
2019-02-16 02:52:35 +01:00
PYTHON_MODULE_RLIMIT_NOFILE :
name : Adjust maximum file descriptor soft limit during Python module execution
description :
- Attempts to set RLIMIT_NOFILE soft limit to the specified value when executing Python modules (can speed up subprocess usage on
Python 2.x. See https://bugs.python.org/issue11284). The value will be limited by the existing hard limit. Default
value of 0 does not attempt to adjust existing system-defined limits.
default : 0
env :
- {name : ANSIBLE_PYTHON_MODULE_RLIMIT_NOFILE}
ini :
- {key: python_module_rlimit_nofile, section : defaults}
vars :
- {name : ansible_python_module_rlimit_nofile}
version_added : '2.8'
2017-06-14 17:08:34 +02:00
RETRY_FILES_ENABLED :
2017-08-20 17:20:30 +02:00
name : Retry files
2019-02-28 16:13:26 +01:00
default : False
2017-08-15 22:38:59 +02:00
description : This controls whether a failed Ansible playbook should create a .retry file.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_RETRY_FILES_ENABLED}]
ini :
- {key: retry_files_enabled, section : defaults}
2017-08-20 17:20:30 +02:00
type : bool
2017-06-14 17:08:34 +02:00
RETRY_FILES_SAVE_PATH :
2017-08-20 17:20:30 +02:00
name : Retry files path
2017-06-14 17:08:34 +02:00
default : ~
2017-08-15 22:38:59 +02:00
description : This sets the path in which Ansible will save .retry files when a playbook fails and retry files are enabled.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_RETRY_FILES_SAVE_PATH}]
ini :
- {key: retry_files_save_path, section : defaults}
2017-08-15 22:38:59 +02:00
type : path
2019-11-04 17:41:14 +01:00
RUN_VARS_PLUGINS :
name : When should vars plugins run relative to inventory
default : demand
description :
- This setting can be used to optimize vars_plugin usage depending on user's inventory size and play selection.
- Setting to C(demand) will run vars_plugins relative to inventory sources anytime vars are 'demanded' by tasks.
- Setting to C(start) will run vars_plugins relative to inventory sources after importing that inventory source.
env : [ {name : ANSIBLE_RUN_VARS_PLUGINS}]
ini :
- {key: run_vars_plugins, section : defaults}
type : str
choices : [ 'demand' , 'start' ]
version_added : "2.10"
2017-06-14 17:08:34 +02:00
SHOW_CUSTOM_STATS :
2017-08-20 17:20:30 +02:00
name : Display custom stats
2017-06-14 17:08:34 +02:00
default : False
2017-08-15 22:38:59 +02:00
description : 'This adds the custom stats set via the set_stats plugin to the default output'
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_SHOW_CUSTOM_STATS}]
ini :
- {key: show_custom_stats, section : defaults}
2017-08-20 17:20:30 +02:00
type : bool
2017-06-14 17:08:34 +02:00
STRING_TYPE_FILTERS :
2017-08-20 17:20:30 +02:00
name : Filters to preserve strings
2017-06-14 17:08:34 +02:00
default : [ string, to_json, to_nice_json, to_yaml, ppretty, json]
2017-08-15 22:38:59 +02:00
description :
- "This list of filters avoids 'type conversion' when templating variables"
- Useful when you want to avoid conversion into lists or dictionaries for JSON strings, for example.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_STRING_TYPE_FILTERS}]
ini :
- {key: dont_type_filters, section : jinja2}
2017-08-15 22:38:59 +02:00
type : list
2017-06-14 17:08:34 +02:00
SYSTEM_WARNINGS :
2017-08-20 17:20:30 +02:00
name : System warnings
2017-06-14 17:08:34 +02:00
default : True
2017-08-20 17:20:30 +02:00
description :
- Allows disabling of warnings related to potential issues on the system running ansible itself (not on the managed hosts)
- These may include warnings about 3rd party packages or other conditions that should be resolved if possible.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_SYSTEM_WARNINGS}]
ini :
- {key: system_warnings, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
2017-09-21 22:23:16 +02:00
TAGS_RUN :
name : Run Tags
default : [ ]
type : list
description : default list of tags to run in your plays, Skip Tags has precedence.
env : [ {name : ANSIBLE_RUN_TAGS}]
ini :
- {key: run, section : tags}
2018-08-23 15:46:54 +02:00
version_added : "2.5"
2017-09-21 22:23:16 +02:00
TAGS_SKIP :
name : Skip Tags
default : [ ]
type : list
description : default list of tags to skip in your plays, has precedence over Run Tags
env : [ {name : ANSIBLE_SKIP_TAGS}]
ini :
- {key: skip, section : tags}
2018-08-23 15:46:54 +02:00
version_added : "2.5"
2017-06-14 17:08:34 +02:00
USE_PERSISTENT_CONNECTIONS :
2017-08-20 17:20:30 +02:00
name : Persistence
2017-06-14 17:08:34 +02:00
default : False
2017-08-20 17:20:30 +02:00
description : Toggles the use of persistence for connections.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_USE_PERSISTENT_CONNECTIONS}]
ini :
- {key: use_persistent_connections, section : defaults}
2017-08-15 22:38:59 +02:00
type : boolean
2019-11-04 17:41:14 +01:00
VARIABLE_PLUGINS_ENABLED :
name : Vars plugin whitelist
default : [ 'host_group_vars' ]
description : Whitelist for variable plugins that require it.
env : [ {name : ANSIBLE_VARS_ENABLED}]
ini :
- {key: vars_plugins_enabled, section : defaults}
type : list
version_added : "2.10"
2017-06-14 17:08:34 +02:00
VARIABLE_PRECEDENCE :
2017-08-20 17:20:30 +02:00
name : Group variable precedence
default : [ 'all_inventory' , 'groups_inventory' , 'all_plugins_inventory' , 'all_plugins_play' , 'groups_plugins_inventory' , 'groups_plugins_play' ]
description : Allows to change the group variable precedence merge order.
2017-06-14 17:08:34 +02:00
env : [ {name : ANSIBLE_PRECEDENCE}]
ini :
- {key: precedence, section : defaults}
2017-08-15 22:38:59 +02:00
type : list
2017-08-20 17:20:30 +02:00
version_added : "2.4"
2017-07-14 01:19:34 +02:00
YAML_FILENAME_EXTENSIONS :
2017-08-20 17:20:30 +02:00
name : Valid YAML extensions
2017-07-14 01:19:34 +02:00
default : [ ".yml" , ".yaml" , ".json" ]
2017-08-15 22:38:59 +02:00
description :
- "Check all of these extensions when looking for 'variable' files which should be YAML or JSON or vaulted versions of these."
- 'This affects vars_files, include_vars, inventory and vars plugins among others.'
2017-07-14 01:19:34 +02:00
env :
- name : ANSIBLE_YAML_FILENAME_EXT
ini :
2017-09-29 04:59:25 +02:00
- section : defaults
key : yaml_valid_extensions
2017-08-15 22:38:59 +02:00
type : list
2018-07-03 20:24:26 +02:00
NETCONF_SSH_CONFIG :
2018-07-04 08:07:35 +02:00
description : This variable is used to enable bastion/jump host with netconf connection. If set to True the bastion/jump
host ssh settings should be present in ~/.ssh/config file, alternatively it can be set
to custom ssh configuration file path to read the bastion/jump host settings.
2018-07-03 20:24:26 +02:00
env : [ {name : ANSIBLE_NETCONF_SSH_CONFIG}]
ini :
- {key: ssh_config, section : netconf_connection}
yaml : {key : netconf_connection.ssh_config}
2018-07-04 08:24:28 +02:00
default : null
2019-02-22 22:44:32 +01:00
STRING_CONVERSION_ACTION :
version_added : '2.8'
description :
- Action to take when a module parameter value is converted to a string (this does not affect variables).
For string parameters, values such as '1.00', "['a', 'b',]", and 'yes', 'y', etc.
will be converted by the YAML parser unless fully quoted.
- Valid options are 'error', 'warn', and 'ignore'.
- Since 2.8, this option defaults to 'warn' but will change to 'error' in 2.12.
default : 'warn'
env :
- name : ANSIBLE_STRING_CONVERSION_ACTION
ini :
- section : defaults
key : string_conversion_action
type : string
2019-03-05 22:08:15 +01:00
VERBOSE_TO_STDERR :
version_added : '2.8'
description :
- Force 'verbose' option to use stderr instead of stdout
default : False
env :
- name : ANSIBLE_VERBOSE_TO_STDERR
ini :
- section : defaults
key : verbose_to_stderr
type : bool
2017-08-15 22:38:59 +02:00
...