2018-03-14 20:44:21 +01:00
.. _ansible_faq:
2013-04-15 01:31:47 +02:00
Frequently Asked Questions
==========================
2017-04-23 09:47:03 +02:00
Here are some commonly asked questions and their answers.
2013-04-15 01:31:47 +02:00
2015-10-09 03:01:09 +02:00
2015-04-13 21:21:08 +02:00
.. _set_environment:
2013-10-04 19:27:19 +02:00
2015-04-13 21:21:08 +02:00
How can I set the PATH or any other environment variable for a task or entire playbook?
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2018-06-22 16:40:29 +02:00
Setting environment variables can be done with the `environment` keyword. It can be used at the task or other levels in the play::
2015-04-13 21:21:08 +02:00
environment:
2015-06-24 02:48:13 +02:00
PATH: "{{ ansible_env.PATH }}:/thingy/bin"
2015-04-13 21:21:08 +02:00
SOME: value
2014-09-03 03:48:01 +02:00
2016-03-01 15:16:21 +01:00
.. note :: starting in 2.0.1 the setup task from gather_facts also inherits the environment directive from the play, you might need to use the `|default` filter to avoid errors if setting this at play level.
2014-09-03 03:48:01 +02:00
2018-04-25 20:18:52 +02:00
.. _faq_setting_users_and_ports:
2014-09-03 03:48:01 +02:00
2013-04-15 01:31:47 +02:00
How do I handle different machines needing different user accounts or ports to log in with?
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Setting inventory variables in the inventory file is the easiest way.
2017-01-07 20:38:52 +01:00
For instance, suppose these hosts have different usernames and ports:
.. code-block :: ini
2013-04-15 01:31:47 +02:00
[webservers]
2015-09-10 16:11:47 +02:00
asdf.example.com ansible_port=5000 ansible_user=alice
jkl.example.com ansible_port=5001 ansible_user=bob
2013-04-15 01:31:47 +02:00
2017-01-07 20:38:52 +01:00
You can also dictate the connection type to be used, if you want:
.. code-block :: ini
2013-04-15 01:31:47 +02:00
[testcluster]
localhost ansible_connection=local
/path/to/chroot1 ansible_connection=chroot
2017-01-07 20:38:52 +01:00
foo.example.com ansible_connection=paramiko
2013-04-15 01:31:47 +02:00
2016-01-04 19:52:06 +01:00
You may also wish to keep these in group variables instead, or file them in a group_vars/<groupname> file.
2013-04-15 01:31:47 +02:00
See the rest of the documentation for more information about how to organize variables.
2013-10-04 19:27:19 +02:00
.. _use_ssh:
2013-04-15 01:31:47 +02:00
How do I get ansible to reuse connections, enable Kerberized SSH, or have Ansible pay attention to my local SSH config file?
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2013-07-20 18:44:15 +02:00
Switch your default connection type in the configuration file to 'ssh', or use '-c ssh' to use
2013-07-05 01:10:28 +02:00
Native OpenSSH for connections instead of the python paramiko library. In Ansible 1.2.1 and later, 'ssh' will be used
by default if OpenSSH is new enough to support ControlPersist as an option.
2013-04-15 01:31:47 +02:00
Paramiko is great for starting out, but the OpenSSH type offers many advanced options. You will want to run Ansible
from a machine new enough to support ControlPersist, if you are using this connection type. You can still manage
2017-09-23 01:02:51 +02:00
older clients. If you are using RHEL 6, CentOS 6, SLES 10 or SLES 11 the version of OpenSSH is still a bit old, so
2013-04-26 11:08:13 +02:00
consider managing from a Fedora or openSUSE client even though you are managing older nodes, or just use paramiko.
2013-04-15 01:31:47 +02:00
We keep paramiko as the default as if you are first installing Ansible on an EL box, it offers a better experience
for new users.
Squashed commit of the following:
commit 9921bb9d2002e136c030ff337c14f8b7eab0fc72
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:19:44 2015 +0530
Document --ssh-extra-args command-line option
commit 8b25595e7b1cc3658803d0821fbf498c18ee608a
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 13:24:57 2015 +0530
Don't disable GSSAPI/Pubkey authentication when using --ask-pass
This commit is based on a bug report and PR by kolbyjack (#6846) which
was subsequently closed and rebased as #11690. The original problem was:
«The password on the delegated host is different from the one I
provided on the command line, so it had to use the pubkey, and the
main host doesn't have a pubkey on it yet, so it had to use the
password.»
(This commit is revised and included here because #11690 would conflict
with the changes in #11908 otherwise.)
Closes #11690
commit 119d0323892c65e8169ae57e42bbe8e3517551a3
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 11:16:42 2015 +0530
Be more explicit about why SSH arguments are added
This adds vvvvv log messages that spell out in detail where each SSH
command-line argument is obtained from.
Unfortunately, we can't be sure if, say, self._play_context.remote_user
is obtained from ANSIBLE_REMOTE_USER in the environment, remote_user in
ansible.cfg, -u on the command line, or an ansible_ssh_user setting in
the inventory or on a task or play. In some cases, e.g. timeout, we
can't even be sure if it was set by the user or just a default.
Nevertheless, on the theory that at five v's you can use all the hints
available, I've mentioned the possible sources in the log messages.
Note that this caveat applies only to the arguments that ssh.py adds by
itself. In the case of ssh_args and ssh_extra_args, we know where they
are from, and say so, though we can't say WHERE in the inventory they
may be set (e.g. in host_vars or group_vars etc.).
commit b605c285baf505f75f0b7d73cb76b00d4723d02e
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Tue Aug 11 15:19:43 2015 +0530
Add a FAQ entry about ansible_ssh_extra_args
commit 49f8edd035cd28dd1cf8945f44ec3d55212910bd
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:48:50 2015 +0530
Allow ansible_ssh_args to be set as an inventory variable
Before this change, ssh_args could be set only in the [ssh_connection]
section of ansible.cfg, and was applied to all hosts. Now it's possible
to set ansible_ssh_args as an inventory variable (directly, or through
group_vars or host_vars) to selectively override the global setting.
Note that the default ControlPath settings are applied only if ssh_args
is not set, and this is true of ansible_ssh_args as well. So if you want
to override ssh_args but continue to set ControlPath, you'll need to
repeat the appropriate options when setting ansible_ssh_args.
(If you only need to add options to the default ssh_args, you may be
able to use the ansible_ssh_extra_args inventory variable instead.)
commit 37c1a5b6794cee29a7809ad056a86365a2c0f886
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:42:30 2015 +0530
Allow overriding ansible_ssh_extra_args on the command-line
This patch makes it possible to do:
ansible somehost -m setup \
--ssh-extra-args '-o ProxyCommand="ssh -W %h:%p -q user@bouncer.example.com"'
This overrides the inventory setting, if any, of ansible_ssh_extra_args.
Based on a patch originally by @Richard2ndQuadrant.
commit b023ace8a8a7ce6800e29129a27ebe8bf6bd38e0
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:06:19 2015 +0530
Add an ansible_ssh_extra_args inventory variable
This can be used to configure a per-host or per-group ProxyCommand to
connect to hosts through a jumphost, e.g.:
inventory:
[gatewayed]
foo ansible_ssh_host=192.0.2.1
group_vars/gatewayed.yml:
ansible_ssh_extra_args: '-o ProxyCommand="ssh -W %h:%p -q bounceuser@gateway.example.com"'
Note that this variable is used in addition to any ssh_args configured
in the [ssh_connection] section of ansible.cfg (so you don't need to
repeat the ControlPath settings in ansible_ssh_extra_args).
2015-09-03 17:26:56 +02:00
.. _use_ssh_jump_hosts:
How do I configure a jump host to access servers that I have no direct access to?
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2017-11-22 05:14:27 +01:00
You can set a `ProxyCommand` in the
2015-10-02 08:41:27 +02:00
`ansible_ssh_common_args` inventory variable. Any arguments specified in
this variable are added to the sftp/scp/ssh command line when connecting
2017-01-07 20:38:52 +01:00
to the relevant host(s). Consider the following inventory group:
.. code-block :: ini
Squashed commit of the following:
commit 9921bb9d2002e136c030ff337c14f8b7eab0fc72
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:19:44 2015 +0530
Document --ssh-extra-args command-line option
commit 8b25595e7b1cc3658803d0821fbf498c18ee608a
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 13:24:57 2015 +0530
Don't disable GSSAPI/Pubkey authentication when using --ask-pass
This commit is based on a bug report and PR by kolbyjack (#6846) which
was subsequently closed and rebased as #11690. The original problem was:
«The password on the delegated host is different from the one I
provided on the command line, so it had to use the pubkey, and the
main host doesn't have a pubkey on it yet, so it had to use the
password.»
(This commit is revised and included here because #11690 would conflict
with the changes in #11908 otherwise.)
Closes #11690
commit 119d0323892c65e8169ae57e42bbe8e3517551a3
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 11:16:42 2015 +0530
Be more explicit about why SSH arguments are added
This adds vvvvv log messages that spell out in detail where each SSH
command-line argument is obtained from.
Unfortunately, we can't be sure if, say, self._play_context.remote_user
is obtained from ANSIBLE_REMOTE_USER in the environment, remote_user in
ansible.cfg, -u on the command line, or an ansible_ssh_user setting in
the inventory or on a task or play. In some cases, e.g. timeout, we
can't even be sure if it was set by the user or just a default.
Nevertheless, on the theory that at five v's you can use all the hints
available, I've mentioned the possible sources in the log messages.
Note that this caveat applies only to the arguments that ssh.py adds by
itself. In the case of ssh_args and ssh_extra_args, we know where they
are from, and say so, though we can't say WHERE in the inventory they
may be set (e.g. in host_vars or group_vars etc.).
commit b605c285baf505f75f0b7d73cb76b00d4723d02e
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Tue Aug 11 15:19:43 2015 +0530
Add a FAQ entry about ansible_ssh_extra_args
commit 49f8edd035cd28dd1cf8945f44ec3d55212910bd
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:48:50 2015 +0530
Allow ansible_ssh_args to be set as an inventory variable
Before this change, ssh_args could be set only in the [ssh_connection]
section of ansible.cfg, and was applied to all hosts. Now it's possible
to set ansible_ssh_args as an inventory variable (directly, or through
group_vars or host_vars) to selectively override the global setting.
Note that the default ControlPath settings are applied only if ssh_args
is not set, and this is true of ansible_ssh_args as well. So if you want
to override ssh_args but continue to set ControlPath, you'll need to
repeat the appropriate options when setting ansible_ssh_args.
(If you only need to add options to the default ssh_args, you may be
able to use the ansible_ssh_extra_args inventory variable instead.)
commit 37c1a5b6794cee29a7809ad056a86365a2c0f886
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:42:30 2015 +0530
Allow overriding ansible_ssh_extra_args on the command-line
This patch makes it possible to do:
ansible somehost -m setup \
--ssh-extra-args '-o ProxyCommand="ssh -W %h:%p -q user@bouncer.example.com"'
This overrides the inventory setting, if any, of ansible_ssh_extra_args.
Based on a patch originally by @Richard2ndQuadrant.
commit b023ace8a8a7ce6800e29129a27ebe8bf6bd38e0
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:06:19 2015 +0530
Add an ansible_ssh_extra_args inventory variable
This can be used to configure a per-host or per-group ProxyCommand to
connect to hosts through a jumphost, e.g.:
inventory:
[gatewayed]
foo ansible_ssh_host=192.0.2.1
group_vars/gatewayed.yml:
ansible_ssh_extra_args: '-o ProxyCommand="ssh -W %h:%p -q bounceuser@gateway.example.com"'
Note that this variable is used in addition to any ssh_args configured
in the [ssh_connection] section of ansible.cfg (so you don't need to
repeat the ControlPath settings in ansible_ssh_extra_args).
2015-09-03 17:26:56 +02:00
[gatewayed]
2015-09-10 16:11:47 +02:00
foo ansible_host=192.0.2.1
bar ansible_host=192.0.2.2
Squashed commit of the following:
commit 9921bb9d2002e136c030ff337c14f8b7eab0fc72
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:19:44 2015 +0530
Document --ssh-extra-args command-line option
commit 8b25595e7b1cc3658803d0821fbf498c18ee608a
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 13:24:57 2015 +0530
Don't disable GSSAPI/Pubkey authentication when using --ask-pass
This commit is based on a bug report and PR by kolbyjack (#6846) which
was subsequently closed and rebased as #11690. The original problem was:
«The password on the delegated host is different from the one I
provided on the command line, so it had to use the pubkey, and the
main host doesn't have a pubkey on it yet, so it had to use the
password.»
(This commit is revised and included here because #11690 would conflict
with the changes in #11908 otherwise.)
Closes #11690
commit 119d0323892c65e8169ae57e42bbe8e3517551a3
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 11:16:42 2015 +0530
Be more explicit about why SSH arguments are added
This adds vvvvv log messages that spell out in detail where each SSH
command-line argument is obtained from.
Unfortunately, we can't be sure if, say, self._play_context.remote_user
is obtained from ANSIBLE_REMOTE_USER in the environment, remote_user in
ansible.cfg, -u on the command line, or an ansible_ssh_user setting in
the inventory or on a task or play. In some cases, e.g. timeout, we
can't even be sure if it was set by the user or just a default.
Nevertheless, on the theory that at five v's you can use all the hints
available, I've mentioned the possible sources in the log messages.
Note that this caveat applies only to the arguments that ssh.py adds by
itself. In the case of ssh_args and ssh_extra_args, we know where they
are from, and say so, though we can't say WHERE in the inventory they
may be set (e.g. in host_vars or group_vars etc.).
commit b605c285baf505f75f0b7d73cb76b00d4723d02e
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Tue Aug 11 15:19:43 2015 +0530
Add a FAQ entry about ansible_ssh_extra_args
commit 49f8edd035cd28dd1cf8945f44ec3d55212910bd
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:48:50 2015 +0530
Allow ansible_ssh_args to be set as an inventory variable
Before this change, ssh_args could be set only in the [ssh_connection]
section of ansible.cfg, and was applied to all hosts. Now it's possible
to set ansible_ssh_args as an inventory variable (directly, or through
group_vars or host_vars) to selectively override the global setting.
Note that the default ControlPath settings are applied only if ssh_args
is not set, and this is true of ansible_ssh_args as well. So if you want
to override ssh_args but continue to set ControlPath, you'll need to
repeat the appropriate options when setting ansible_ssh_args.
(If you only need to add options to the default ssh_args, you may be
able to use the ansible_ssh_extra_args inventory variable instead.)
commit 37c1a5b6794cee29a7809ad056a86365a2c0f886
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:42:30 2015 +0530
Allow overriding ansible_ssh_extra_args on the command-line
This patch makes it possible to do:
ansible somehost -m setup \
--ssh-extra-args '-o ProxyCommand="ssh -W %h:%p -q user@bouncer.example.com"'
This overrides the inventory setting, if any, of ansible_ssh_extra_args.
Based on a patch originally by @Richard2ndQuadrant.
commit b023ace8a8a7ce6800e29129a27ebe8bf6bd38e0
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:06:19 2015 +0530
Add an ansible_ssh_extra_args inventory variable
This can be used to configure a per-host or per-group ProxyCommand to
connect to hosts through a jumphost, e.g.:
inventory:
[gatewayed]
foo ansible_ssh_host=192.0.2.1
group_vars/gatewayed.yml:
ansible_ssh_extra_args: '-o ProxyCommand="ssh -W %h:%p -q bounceuser@gateway.example.com"'
Note that this variable is used in addition to any ssh_args configured
in the [ssh_connection] section of ansible.cfg (so you don't need to
repeat the ControlPath settings in ansible_ssh_extra_args).
2015-09-03 17:26:56 +02:00
2015-10-02 08:41:27 +02:00
You can create `group_vars/gatewayed.yml` with the following contents::
Squashed commit of the following:
commit 9921bb9d2002e136c030ff337c14f8b7eab0fc72
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:19:44 2015 +0530
Document --ssh-extra-args command-line option
commit 8b25595e7b1cc3658803d0821fbf498c18ee608a
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 13:24:57 2015 +0530
Don't disable GSSAPI/Pubkey authentication when using --ask-pass
This commit is based on a bug report and PR by kolbyjack (#6846) which
was subsequently closed and rebased as #11690. The original problem was:
«The password on the delegated host is different from the one I
provided on the command line, so it had to use the pubkey, and the
main host doesn't have a pubkey on it yet, so it had to use the
password.»
(This commit is revised and included here because #11690 would conflict
with the changes in #11908 otherwise.)
Closes #11690
commit 119d0323892c65e8169ae57e42bbe8e3517551a3
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 11:16:42 2015 +0530
Be more explicit about why SSH arguments are added
This adds vvvvv log messages that spell out in detail where each SSH
command-line argument is obtained from.
Unfortunately, we can't be sure if, say, self._play_context.remote_user
is obtained from ANSIBLE_REMOTE_USER in the environment, remote_user in
ansible.cfg, -u on the command line, or an ansible_ssh_user setting in
the inventory or on a task or play. In some cases, e.g. timeout, we
can't even be sure if it was set by the user or just a default.
Nevertheless, on the theory that at five v's you can use all the hints
available, I've mentioned the possible sources in the log messages.
Note that this caveat applies only to the arguments that ssh.py adds by
itself. In the case of ssh_args and ssh_extra_args, we know where they
are from, and say so, though we can't say WHERE in the inventory they
may be set (e.g. in host_vars or group_vars etc.).
commit b605c285baf505f75f0b7d73cb76b00d4723d02e
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Tue Aug 11 15:19:43 2015 +0530
Add a FAQ entry about ansible_ssh_extra_args
commit 49f8edd035cd28dd1cf8945f44ec3d55212910bd
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:48:50 2015 +0530
Allow ansible_ssh_args to be set as an inventory variable
Before this change, ssh_args could be set only in the [ssh_connection]
section of ansible.cfg, and was applied to all hosts. Now it's possible
to set ansible_ssh_args as an inventory variable (directly, or through
group_vars or host_vars) to selectively override the global setting.
Note that the default ControlPath settings are applied only if ssh_args
is not set, and this is true of ansible_ssh_args as well. So if you want
to override ssh_args but continue to set ControlPath, you'll need to
repeat the appropriate options when setting ansible_ssh_args.
(If you only need to add options to the default ssh_args, you may be
able to use the ansible_ssh_extra_args inventory variable instead.)
commit 37c1a5b6794cee29a7809ad056a86365a2c0f886
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:42:30 2015 +0530
Allow overriding ansible_ssh_extra_args on the command-line
This patch makes it possible to do:
ansible somehost -m setup \
--ssh-extra-args '-o ProxyCommand="ssh -W %h:%p -q user@bouncer.example.com"'
This overrides the inventory setting, if any, of ansible_ssh_extra_args.
Based on a patch originally by @Richard2ndQuadrant.
commit b023ace8a8a7ce6800e29129a27ebe8bf6bd38e0
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:06:19 2015 +0530
Add an ansible_ssh_extra_args inventory variable
This can be used to configure a per-host or per-group ProxyCommand to
connect to hosts through a jumphost, e.g.:
inventory:
[gatewayed]
foo ansible_ssh_host=192.0.2.1
group_vars/gatewayed.yml:
ansible_ssh_extra_args: '-o ProxyCommand="ssh -W %h:%p -q bounceuser@gateway.example.com"'
Note that this variable is used in addition to any ssh_args configured
in the [ssh_connection] section of ansible.cfg (so you don't need to
repeat the ControlPath settings in ansible_ssh_extra_args).
2015-09-03 17:26:56 +02:00
2015-10-02 08:41:27 +02:00
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q user@gateway.example.com"'
Squashed commit of the following:
commit 9921bb9d2002e136c030ff337c14f8b7eab0fc72
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:19:44 2015 +0530
Document --ssh-extra-args command-line option
commit 8b25595e7b1cc3658803d0821fbf498c18ee608a
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 13:24:57 2015 +0530
Don't disable GSSAPI/Pubkey authentication when using --ask-pass
This commit is based on a bug report and PR by kolbyjack (#6846) which
was subsequently closed and rebased as #11690. The original problem was:
«The password on the delegated host is different from the one I
provided on the command line, so it had to use the pubkey, and the
main host doesn't have a pubkey on it yet, so it had to use the
password.»
(This commit is revised and included here because #11690 would conflict
with the changes in #11908 otherwise.)
Closes #11690
commit 119d0323892c65e8169ae57e42bbe8e3517551a3
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 11:16:42 2015 +0530
Be more explicit about why SSH arguments are added
This adds vvvvv log messages that spell out in detail where each SSH
command-line argument is obtained from.
Unfortunately, we can't be sure if, say, self._play_context.remote_user
is obtained from ANSIBLE_REMOTE_USER in the environment, remote_user in
ansible.cfg, -u on the command line, or an ansible_ssh_user setting in
the inventory or on a task or play. In some cases, e.g. timeout, we
can't even be sure if it was set by the user or just a default.
Nevertheless, on the theory that at five v's you can use all the hints
available, I've mentioned the possible sources in the log messages.
Note that this caveat applies only to the arguments that ssh.py adds by
itself. In the case of ssh_args and ssh_extra_args, we know where they
are from, and say so, though we can't say WHERE in the inventory they
may be set (e.g. in host_vars or group_vars etc.).
commit b605c285baf505f75f0b7d73cb76b00d4723d02e
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Tue Aug 11 15:19:43 2015 +0530
Add a FAQ entry about ansible_ssh_extra_args
commit 49f8edd035cd28dd1cf8945f44ec3d55212910bd
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:48:50 2015 +0530
Allow ansible_ssh_args to be set as an inventory variable
Before this change, ssh_args could be set only in the [ssh_connection]
section of ansible.cfg, and was applied to all hosts. Now it's possible
to set ansible_ssh_args as an inventory variable (directly, or through
group_vars or host_vars) to selectively override the global setting.
Note that the default ControlPath settings are applied only if ssh_args
is not set, and this is true of ansible_ssh_args as well. So if you want
to override ssh_args but continue to set ControlPath, you'll need to
repeat the appropriate options when setting ansible_ssh_args.
(If you only need to add options to the default ssh_args, you may be
able to use the ansible_ssh_extra_args inventory variable instead.)
commit 37c1a5b6794cee29a7809ad056a86365a2c0f886
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:42:30 2015 +0530
Allow overriding ansible_ssh_extra_args on the command-line
This patch makes it possible to do:
ansible somehost -m setup \
--ssh-extra-args '-o ProxyCommand="ssh -W %h:%p -q user@bouncer.example.com"'
This overrides the inventory setting, if any, of ansible_ssh_extra_args.
Based on a patch originally by @Richard2ndQuadrant.
commit b023ace8a8a7ce6800e29129a27ebe8bf6bd38e0
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:06:19 2015 +0530
Add an ansible_ssh_extra_args inventory variable
This can be used to configure a per-host or per-group ProxyCommand to
connect to hosts through a jumphost, e.g.:
inventory:
[gatewayed]
foo ansible_ssh_host=192.0.2.1
group_vars/gatewayed.yml:
ansible_ssh_extra_args: '-o ProxyCommand="ssh -W %h:%p -q bounceuser@gateway.example.com"'
Note that this variable is used in addition to any ssh_args configured
in the [ssh_connection] section of ansible.cfg (so you don't need to
repeat the ControlPath settings in ansible_ssh_extra_args).
2015-09-03 17:26:56 +02:00
2015-10-02 08:41:27 +02:00
Ansible will append these arguments to the command line when trying to
connect to any hosts in the group `gatewayed` . (These arguments are used
in addition to any `ssh_args` from `ansible.cfg` , so you do not need to
repeat global `ControlPersist` settings in `ansible_ssh_common_args` .)
Squashed commit of the following:
commit 9921bb9d2002e136c030ff337c14f8b7eab0fc72
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:19:44 2015 +0530
Document --ssh-extra-args command-line option
commit 8b25595e7b1cc3658803d0821fbf498c18ee608a
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 13:24:57 2015 +0530
Don't disable GSSAPI/Pubkey authentication when using --ask-pass
This commit is based on a bug report and PR by kolbyjack (#6846) which
was subsequently closed and rebased as #11690. The original problem was:
«The password on the delegated host is different from the one I
provided on the command line, so it had to use the pubkey, and the
main host doesn't have a pubkey on it yet, so it had to use the
password.»
(This commit is revised and included here because #11690 would conflict
with the changes in #11908 otherwise.)
Closes #11690
commit 119d0323892c65e8169ae57e42bbe8e3517551a3
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 11:16:42 2015 +0530
Be more explicit about why SSH arguments are added
This adds vvvvv log messages that spell out in detail where each SSH
command-line argument is obtained from.
Unfortunately, we can't be sure if, say, self._play_context.remote_user
is obtained from ANSIBLE_REMOTE_USER in the environment, remote_user in
ansible.cfg, -u on the command line, or an ansible_ssh_user setting in
the inventory or on a task or play. In some cases, e.g. timeout, we
can't even be sure if it was set by the user or just a default.
Nevertheless, on the theory that at five v's you can use all the hints
available, I've mentioned the possible sources in the log messages.
Note that this caveat applies only to the arguments that ssh.py adds by
itself. In the case of ssh_args and ssh_extra_args, we know where they
are from, and say so, though we can't say WHERE in the inventory they
may be set (e.g. in host_vars or group_vars etc.).
commit b605c285baf505f75f0b7d73cb76b00d4723d02e
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Tue Aug 11 15:19:43 2015 +0530
Add a FAQ entry about ansible_ssh_extra_args
commit 49f8edd035cd28dd1cf8945f44ec3d55212910bd
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:48:50 2015 +0530
Allow ansible_ssh_args to be set as an inventory variable
Before this change, ssh_args could be set only in the [ssh_connection]
section of ansible.cfg, and was applied to all hosts. Now it's possible
to set ansible_ssh_args as an inventory variable (directly, or through
group_vars or host_vars) to selectively override the global setting.
Note that the default ControlPath settings are applied only if ssh_args
is not set, and this is true of ansible_ssh_args as well. So if you want
to override ssh_args but continue to set ControlPath, you'll need to
repeat the appropriate options when setting ansible_ssh_args.
(If you only need to add options to the default ssh_args, you may be
able to use the ansible_ssh_extra_args inventory variable instead.)
commit 37c1a5b6794cee29a7809ad056a86365a2c0f886
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:42:30 2015 +0530
Allow overriding ansible_ssh_extra_args on the command-line
This patch makes it possible to do:
ansible somehost -m setup \
--ssh-extra-args '-o ProxyCommand="ssh -W %h:%p -q user@bouncer.example.com"'
This overrides the inventory setting, if any, of ansible_ssh_extra_args.
Based on a patch originally by @Richard2ndQuadrant.
commit b023ace8a8a7ce6800e29129a27ebe8bf6bd38e0
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:06:19 2015 +0530
Add an ansible_ssh_extra_args inventory variable
This can be used to configure a per-host or per-group ProxyCommand to
connect to hosts through a jumphost, e.g.:
inventory:
[gatewayed]
foo ansible_ssh_host=192.0.2.1
group_vars/gatewayed.yml:
ansible_ssh_extra_args: '-o ProxyCommand="ssh -W %h:%p -q bounceuser@gateway.example.com"'
Note that this variable is used in addition to any ssh_args configured
in the [ssh_connection] section of ansible.cfg (so you don't need to
repeat the ControlPath settings in ansible_ssh_extra_args).
2015-09-03 17:26:56 +02:00
Note that `ssh -W` is available only with OpenSSH 5.4 or later. With
older versions, it's necessary to execute `nc %h:%p` or some equivalent
command on the bastion host.
With earlier versions of Ansible, it was necessary to configure a
suitable `ProxyCommand` for one or more hosts in `~/.ssh/config` ,
or globally by setting `ssh_args` in `ansible.cfg` .
2019-05-01 19:04:40 +02:00
.. _ssh_serveraliveinterval:
How do I get Ansible to notice a dead target in a timely manner?
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
You can add `` -o ServerAliveInterval=NumberOfSeconds `` in `` ssh_args `` from `` ansible.cfg `` . Without this option, SSH and therefore Ansible will wait until the TCP connection times out. Another solution is to add `` ServerAliveInterval `` into your global SSH configuration. A good value for `` ServerAliveInterval `` is up to you to decide; keep in mind that `` ServerAliveCountMax=3 `` is the SSH default so any value you set will be tripled before terminating the SSH session.
2013-10-04 19:27:19 +02:00
.. _ec2_cloud_performance:
2013-04-15 01:31:47 +02:00
How do I speed up management inside EC2?
++++++++++++++++++++++++++++++++++++++++
Don't try to manage a fleet of EC2 machines from your laptop. Connect to a management node inside EC2 first
and run Ansible from there.
2013-10-04 19:27:19 +02:00
.. _python_interpreters:
2018-04-18 22:04:47 +02:00
How do I handle python not having a Python interpreter at /usr/bin/python on a remote machine?
2013-04-15 01:31:47 +02:00
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2018-04-18 22:04:47 +02:00
While you can write Ansible modules in any language, most Ansible modules are written in Python,
including the ones central to letting Ansible work.
2013-04-15 01:31:47 +02:00
2018-04-18 22:04:47 +02:00
By default, Ansible assumes it can find a :command: `/usr/bin/python` on your remote system that is
either Python2, version 2.6 or higher or Python3, 3.5 or higher.
2013-04-15 01:31:47 +02:00
2018-04-18 22:04:47 +02:00
Setting the inventory variable `` ansible_python_interpreter `` on any host will tell Ansible to
auto-replace the Python interpreter with that value instead. Thus, you can point to any Python you
want on the system if :command: `/usr/bin/python` on your system does not point to a compatible
Python interpreter.
2013-04-15 01:31:47 +02:00
2018-04-18 22:04:47 +02:00
Some platforms may only have Python 3 installed by default. If it is not installed as
:command: `/usr/bin/python` , you will need to configure the path to the interpreter via
`` ansible_python_interpreter `` . Although most core modules will work with Python 3, there may be some
special purpose ones which do not or you may encounter a bug in an edge case. As a temporary
workaround you can install Python 2 on the managed host and configure Ansible to use that Python via
`` ansible_python_interpreter `` . If there's no mention in the module's documentation that the module
requires Python 2, you can also report a bug on our `bug tracker
<https://github.com/ansible/ansible/issues> `_ so that the incompatibility can be fixed in a future release.
2013-04-15 01:31:47 +02:00
Do not replace the shebang lines of your python modules. Ansible will do this for you automatically at deploy time.
2018-06-22 16:40:29 +02:00
Also, this works for ANY interpreter, i.e ruby: `ansible_ruby_interpreter` , perl: `ansible_perl_interpreter` , etc,
so you can use this for custom modules written in any scripting language and control the interpreter location.
Keep in mind that if you put `env` in your module shebang line (`#!/usr/bin/env <other>` ),
this facility will be ignored so you will be at the mercy of the remote `$PATH` .
2018-06-15 17:14:01 +02:00
.. _installation_faqs:
How do I handle the package dependencies required by Ansible package dependencies during Ansible installation ?
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
While installing Ansible, sometimes you may encounter errors such as `No package 'libffi' found` or `fatal error: Python.h: No such file or directory`
These errors are generally caused by the missing packages which are dependencies of the packages required by Ansible.
For example, `libffi` package is dependency of `pynacl` and `paramiko` (Ansible -> paramiko -> pynacl -> libffi).
In order to solve these kinds of dependency issue, you may need to install required packages using the OS native package managers (e.g., `yum` , `dnf` or `apt` ) or as mentioned in the package installation guide.
Please refer the documentation of the respective package for such dependencies and their installation methods.
2018-04-18 22:04:47 +02:00
Common Platform Issues
++++++++++++++++++++++
Running in a virtualenv
-----------------------
You can install Ansible into a virtualenv on the controller quite simply:
.. code-block :: shell
$ virtualenv ansible
$ source ./ansible/bin/activate
$ pip install ansible
If you want to run under Python 3 instead of Python 2 you may want to change that slightly:
.. code-block :: shell
2018-12-10 23:43:33 +01:00
$ virtualenv -p python3 ansible
2018-04-18 22:04:47 +02:00
$ source ./ansible/bin/activate
2018-12-10 23:43:33 +01:00
$ pip install ansible
2018-04-18 22:04:47 +02:00
If you need to use any libraries which are not available via pip (for instance, SELinux Python
bindings on systems such as Red Hat Enterprise Linux or Fedora that have SELinux enabled) then you
need to install them into the virtualenv. There are two methods:
* When you create the virtualenv, specify `` --system-site-packages `` to make use of any libraries
installed in the system's Python:
.. code-block :: shell
$ virtualenv ansible --system-site-packages
* Copy those files in manually from the system. For instance, for SELinux bindings you might do:
.. code-block :: shell
$ virtualenv ansible --system-site-packages
$ cp -r -v /usr/lib64/python3.*/site-packages/selinux/ ./py3-ansible/lib64/python3.* /site-packages/
$ cp -v /usr/lib64/python3.*/site-packages/* selinux*.so ./py3-ansible/lib64/python3.* /site-packages/
Running on BSD
--------------
.. seealso :: :ref: `working_with_bsd`
Running on Solaris
------------------
By default, Solaris 10 and earlier run a non-POSIX shell which does not correctly expand the default
tmp directory Ansible uses ( :file: `~/.ansible/tmp` ). If you see module failures on Solaris machines, this
is likely the problem. There are several workarounds:
2018-04-25 20:18:52 +02:00
* You can set `` remote_tmp `` to a path that will expand correctly with the shell you are using (see the plugin documentation for :ref: `C shell<csh_shell>` , :ref: `fish shell<fish_shell>` , and :ref: `Powershell<powershell_shell>` ). For
2018-04-18 22:04:47 +02:00
example, in the ansible config file you can set::
remote_tmp=$HOME/.ansible/tmp
2018-04-25 20:18:52 +02:00
In Ansible 2.5 and later, you can also set it per-host in inventory like this::
2018-04-18 22:04:47 +02:00
solaris1 ansible_remote_tmp=$HOME/.ansible/tmp
2018-04-27 20:21:39 +02:00
* You can set :ref: `ansible_shell_executable<ansible_shell_executable>` to the path to a POSIX compatible shell. For
2018-04-18 22:04:47 +02:00
instance, many Solaris hosts have a POSIX shell located at :file: `/usr/xpg4/bin/sh` so you can set
this in inventory like so::
solaris1 ansible_shell_executable=/usr/xpg4/bin/sh
(bash, ksh, and zsh should also be POSIX compatible if you have any of those installed).
2018-12-21 20:50:30 +01:00
Running on z/OS
---------------
There are a few common errors that one might run into when trying to execute Ansible on z/OS as a target.
* Version 2.7.6 of python for z/OS will not work with Ansible because it represents strings internally as EBCDIC.
2019-01-25 16:42:54 +01:00
To get around this limitation, download and install a later version of `python for z/OS <https://www.rocketsoftware.com/zos-open-source> `_ (2.7.13 or 3.6.1) that represents strings internally as ASCII. Version 2.7.13 is verified to work.
2018-12-21 20:50:30 +01:00
2019-04-18 04:02:09 +02:00
* When `` pipelining = False `` in `/etc/ansible/ansible.cfg` then Ansible modules are transferred in binary mode via sftp however execution of python fails with
2018-12-21 20:50:30 +01:00
2019-01-25 16:42:54 +01:00
.. error ::
SyntaxError: Non-UTF-8 code starting with \'\\x83\' in file /a/user1/.ansible/tmp/ansible-tmp-1548232945.35-274513842609025/AnsiballZ_stat.py on line 1, but no encoding declared; see http://python.org/dev/peps/pep-0263/ for details
2019-04-18 04:02:09 +02:00
2019-01-25 16:42:54 +01:00
To fix it set `` pipelining = True `` in `/etc/ansible/ansible.cfg` .
* Python interpret cannot be found in default location `` /usr/bin/python `` on target host.
.. error ::
/usr/bin/python: EDC5129I No such file or directory
To fix this set the path to the python installation in your inventory like so::
2018-12-21 20:50:30 +01:00
zos1 ansible_python_interpreter=/usr/lpp/python/python-2017-04-12-py27/python27/bin/python
2019-01-25 16:42:54 +01:00
* Start of python fails with `` The module libpython2.7.so was not found. ``
.. error ::
2018-12-21 20:50:30 +01:00
EE3501S The module libpython2.7.so was not found.
2019-01-25 16:42:54 +01:00
On z/OS, you must execute python from gnu bash. If gnu bash is installed at `` /usr/lpp/bash `` , you can fix this in your inventory by specifying an `` ansible_shell_executable `` ::
2018-12-21 20:50:30 +01:00
zos1 ansible_shell_executable=/usr/lpp/bash/bin/bash
2018-04-18 22:04:47 +02:00
2013-10-04 19:27:19 +02:00
.. _use_roles:
2013-04-15 01:31:47 +02:00
What is the best way to make content reusable/redistributable?
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
If you have not done so already, read all about "Roles" in the playbooks documentation. This helps you make playbook content
2014-05-03 17:59:50 +02:00
self-contained, and works well with things like git submodules for sharing content with others.
2013-04-15 01:31:47 +02:00
If some of these plugin types look strange to you, see the API documentation for more details about ways Ansible can be extended.
2013-10-04 19:27:19 +02:00
.. _configuration_file:
2013-04-15 01:31:47 +02:00
Where does the configuration file live and what can I configure in it?
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2018-02-13 16:23:55 +01:00
See :doc: `../installation_guide/intro_configuration` .
2013-04-15 01:31:47 +02:00
2013-10-04 19:27:19 +02:00
.. _who_would_ever_want_to_disable_cowsay_but_ok_here_is_how:
2013-04-15 01:31:47 +02:00
How do I disable cowsay?
++++++++++++++++++++++++
If cowsay is installed, Ansible takes it upon itself to make your day happier when running playbooks. If you decide
2018-06-25 22:53:19 +02:00
that you would like to work in a professional cow-free environment, you can either uninstall cowsay, set `` nocows=1 `` in ansible.cfg, or set the :envvar: `ANSIBLE_NOCOWS` environment variable:
2013-04-15 01:31:47 +02:00
2017-01-07 20:38:52 +01:00
.. code-block :: shell-session
2013-04-15 01:31:47 +02:00
export ANSIBLE_NOCOWS=1
2013-10-04 19:27:19 +02:00
.. _browse_facts:
2013-04-15 01:31:47 +02:00
How do I see a list of all of the ansible\_ variables?
++++++++++++++++++++++++++++++++++++++++++++++++++++++
2017-01-07 20:38:52 +01:00
Ansible by default gathers "facts" about the machines under management, and these facts can be accessed in Playbooks and in templates. To see a list of all of the facts that are available about a machine, you can run the "setup" module as an ad-hoc action:
.. code-block :: shell-session
2013-04-15 01:31:47 +02:00
ansible -m setup hostname
2018-06-22 16:40:29 +02:00
This will print out a dictionary of all of the facts that are available for that particular host. You might want to pipe the output to a pager.This does NOT include inventory variables or internal 'magic' variables. See the next question if you need more than just 'facts'.
2015-10-05 14:57:43 +02:00
.. _browse_inventory_vars:
2015-10-05 15:05:59 +02:00
2018-06-22 16:40:29 +02:00
How do I see all the inventory variables defined for my host?
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-05 14:57:43 +02:00
2018-06-22 16:40:29 +02:00
By running the following command, you can see inventory variables for a host:
.. code-block :: shell-session
ansible-inventory --list --yaml
.. _browse_host_vars:
How do I see all the variables specific to my host?
+++++++++++++++++++++++++++++++++++++++++++++++++++
To see all host specific variables, which might include facts and other sources:
2017-01-07 20:38:52 +01:00
.. code-block :: shell-session
2015-10-05 14:57:43 +02:00
ansible -m debug -a "var=hostvars['hostname']" localhost
2013-04-15 01:31:47 +02:00
2018-06-22 16:40:29 +02:00
Unless you are using a fact cache, you normally need to use a play that gathers facts first, for facts included in the task above.
2013-10-04 19:27:19 +02:00
.. _host_loops:
2013-04-15 01:31:47 +02:00
How do I loop over a list of hosts in a group, inside of a template?
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A pretty common pattern is to iterate over a list of hosts inside of a host group, perhaps to populate a template configuration
2016-02-26 22:43:22 +01:00
file with a list of servers. To do this, you can just access the "$groups" dictionary in your template, like this:
2016-03-13 10:03:57 +01:00
.. code-block :: jinja
2013-04-15 01:31:47 +02:00
{% for host in groups['db_servers'] %}
{{ host }}
{% endfor %}
If you need to access facts about these hosts, for instance, the IP address of each hostname, you need to make sure that the facts have been populated. For example, make sure you have a play that talks to db_servers::
- hosts: db_servers
tasks:
2016-02-26 22:43:22 +01:00
- debug: msg="doesn't matter what you do, just that they were talked to previously."
2013-04-15 01:31:47 +02:00
2017-01-07 20:38:52 +01:00
Then you can use the facts inside your template, like this:
.. code-block :: jinja
2013-04-15 01:31:47 +02:00
{% for host in groups['db_servers'] %}
{{ hostvars[host]['ansible_eth0']['ipv4']['address'] }}
{% endfor %}
2014-01-02 23:37:48 +01:00
.. _programatic_access_to_a_variable:
2013-12-27 21:52:53 +01:00
2014-03-15 15:36:42 +01:00
How do I access a variable name programmatically?
+++++++++++++++++++++++++++++++++++++++++++++++++
2013-12-27 21:52:53 +01:00
An example may come up where we need to get the ipv4 address of an arbitrary interface, where the interface to be used may be supplied
2017-01-07 20:38:52 +01:00
via a role parameter or other input. Variable names can be built by adding strings together, like so:
.. code-block :: jinja
2013-12-27 21:52:53 +01:00
{{ hostvars[inventory_hostname]['ansible_' + which_interface]['ipv4']['address'] }}
2014-03-15 15:36:42 +01:00
The trick about going through hostvars is necessary because it's a dictionary of the entire namespace of variables. 'inventory_hostname'
is a magic variable that indicates the current host you are looping over in the host loop.
2013-12-27 21:52:53 +01:00
2018-06-22 16:40:29 +02:00
Also see dynamic_variables_.
.. _access_group_variable:
How do I access a group variable?
+++++++++++++++++++++++++++++++++
2018-09-12 23:33:07 +02:00
Technically, you don't, Ansible does not really use groups directly. Groups are label for host selection and a way to bulk assign variables, they are not a first class entity, Ansible only cares about Hosts and Tasks.
2018-06-22 16:40:29 +02:00
That said, you could just access the variable by selecting a host that is part of that group, see first_host_in_a_group_ below for an example.
2014-01-02 23:37:48 +01:00
.. _first_host_in_a_group:
2013-12-27 21:52:53 +01:00
How do I access a variable of the first host in a group?
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
What happens if we want the ip address of the first webserver in the webservers group? Well, we can do that too. Note that if we
are using dynamic inventory, which host is the 'first' may not be consistent, so you wouldn't want to do this unless your inventory
2018-02-13 16:23:55 +01:00
is static and predictable. (If you are using :doc: `../reference_appendices/tower` , it will use database order, so this isn't a problem even if you are using cloud
2013-12-27 21:52:53 +01:00
based inventory scripts).
2017-01-07 20:38:52 +01:00
Anyway, here's the trick:
.. code-block :: jinja
2013-12-27 21:52:53 +01:00
{{ hostvars[groups['webservers'][0]]['ansible_eth0']['ipv4']['address'] }}
Notice how we're pulling out the hostname of the first machine of the webservers group. If you are doing this in a template, you
2015-10-05 14:57:43 +02:00
could use the Jinja2 '#set' directive to simplify this, or in a playbook, you could also use set_fact::
2013-12-27 21:52:53 +01:00
- set_fact: headnode={{ groups[['webservers'][0]] }}
2015-10-05 14:57:43 +02:00
2013-12-27 21:52:53 +01:00
- debug: msg={{ hostvars[headnode].ansible_eth0.ipv4.address }}
Notice how we interchanged the bracket syntax for dots -- that can be done anywhere.
2013-10-04 19:27:19 +02:00
.. _file_recursion:
2013-04-15 01:31:47 +02:00
How do I copy files recursively onto a target host?
+++++++++++++++++++++++++++++++++++++++++++++++++++
2017-04-23 09:47:03 +02:00
The "copy" module has a recursive parameter. However, take a look at the "synchronize" module if you want to do something more efficient for a large number of files. The "synchronize" module wraps rsync. See the module index for info on both of these modules.
2013-04-15 01:31:47 +02:00
2013-10-04 19:27:19 +02:00
.. _shell_env:
2013-04-15 01:31:47 +02:00
How do I access shell environment variables?
++++++++++++++++++++++++++++++++++++++++++++
2018-06-22 16:40:29 +02:00
If you just need to access existing variables ON THE CONTROLLER, use the 'env' lookup plugin.
For example, to access the value of the HOME environment variable on the management machine::
2013-04-15 01:31:47 +02:00
---
# ...
vars:
local_home: "{{ lookup('env','HOME') }}"
2018-06-22 16:40:29 +02:00
For environment variables on the TARGET machines, they are available via facts in the 'ansible_env' variable:
2017-01-07 20:38:52 +01:00
.. code-block :: jinja
2013-10-04 19:27:19 +02:00
{{ ansible_env.SOME_VARIABLE }}
2018-11-09 20:31:29 +01:00
If you need to set environment variables for TASK execution, see :ref: `playbooks_environment` in the :ref: `Advanced Playbooks <playbooks_special_topics>` section.
There are several ways to set environment variables on your target machines. You can use the :ref: `template <template_module>` , :ref: `replace <replace_module>` , or :ref: `lineinfile <lineinfile_module>` modules to introduce environment variables into files.
The exact files to edit vary depending on your OS and distribution and local configuration.
2018-06-22 16:40:29 +02:00
2013-10-08 14:38:51 +02:00
.. _user_passwords:
2018-11-09 20:31:29 +01:00
How do I generate encrypted passwords for the user module?
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2013-10-08 14:38:51 +02:00
2018-06-08 00:26:25 +02:00
Ansible ad-hoc command is the easiest option:
.. code-block :: shell-session
ansible all -i localhost, -m debug -a "msg={{ 'mypassword' | password_hash('sha512', 'mysecretsalt') }}"
The mkpasswd utility that is available on most Linux systems is also a great option:
2017-01-07 20:38:52 +01:00
.. code-block :: shell-session
2013-10-08 14:38:51 +02:00
2016-08-25 18:43:28 +02:00
mkpasswd --method=sha-512
2014-01-08 02:20:39 +01:00
2018-06-26 20:09:23 +02:00
If this utility is not installed on your system (e.g. you are using macOS) then you can still easily
2017-01-10 14:17:32 +01:00
generate these passwords using Python. First, ensure that the `Passlib <https://bitbucket.org/ecollins/passlib/wiki/Home> `_
2017-01-07 20:38:52 +01:00
password hashing library is installed:
.. code-block :: shell-session
2014-01-08 02:20:39 +01:00
pip install passlib
2017-01-07 20:38:52 +01:00
Once the library is ready, SHA512 password values can then be generated as follows:
.. code-block :: shell-session
2014-01-08 02:20:39 +01:00
2017-12-19 16:31:30 +01:00
python -c "from passlib.hash import sha512_crypt; import getpass; print(sha512_crypt.using(rounds=5000).hash(getpass.getpass()))"
2013-10-08 14:38:51 +02:00
2016-09-23 19:04:09 +02:00
Use the integrated :ref: `hash_filters` to generate a hashed version of a password.
2018-02-13 16:23:55 +01:00
You shouldn't put plaintext passwords in your playbook or host_vars; instead, use :doc: `../user_guide/playbooks_vault` to encrypt sensitive data.
2016-09-23 19:04:09 +02:00
2018-05-24 16:14:14 +02:00
In OpenBSD, a similar option is available in the base system called encrypt(1):
.. code-block :: shell-session
encrypt
2018-08-14 21:58:00 +02:00
.. _dot_or_array_notation:
2013-10-04 19:27:19 +02:00
2017-09-23 01:02:51 +02:00
Ansible supports dot notation and array notation for variables. Which notation should I use?
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The dot notation comes from Jinja and works fine for variables without special
2018-08-30 22:47:39 +02:00
characters. If your variable contains dots (.), colons (:), or dashes (-), if
a key begins and ends with two underscores, or if a key uses any of the known
public attributes, it is safer to use the array notation. See :ref: `playbooks_variables`
for a list of the known public attributes.
2017-09-23 01:02:51 +02:00
.. code-block :: jinja
item[0]['checksum:md5']
item['section']['2.1']
item['region']['Mid-Atlantic']
It is {{ temperature['Celsius']['-3'] }} outside.
2018-06-22 16:40:29 +02:00
Also array notation allows for dynamic variable composition, see dynamic_variables_.
2018-08-31 16:32:36 +02:00
Another problem with 'dot notation' is that some keys can cause problems because they collide with attributes and methods of python dictionaries.
.. code-block :: jinja
item.update # this breaks if item is a dictionary, as 'update()' is a python method for dictionaries
item['update'] # this works
2018-08-14 21:58:00 +02:00
.. _argsplat_unsafe:
When is it unsafe to bulk-set task arguments from a variable?
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
You can set all of a task's arguments from a dictionary-typed variable. This
technique can be useful in some dynamic execution scenarios. However, it
introduces a security risk. We do not recommend it, so Ansible issues a
warning when you do something like this::
#...
vars:
usermod_args:
name: testuser
state: present
update_password: always
tasks:
- user: '{{ usermod_args }}'
This particular example is safe. However, constructing tasks like this is
risky because the parameters and values passed to `` usermod_args `` could
be overwritten by malicious values in the `` host facts `` on a compromised
target machine. To mitigate this risk:
* set bulk variables at a level of precedence greater than `` host facts `` in the order of precedence found in :ref: `ansible_variable_precedence` (the example above is safe because play vars take precedence over facts)
* disable the :ref: `inject_facts_as_vars` configuration setting to prevent fact values from colliding with variables (this will also disable the original warning)
.. _commercial_support:
2016-11-19 10:04:59 +01:00
Can I get training on Ansible?
++++++++++++++++++++++++++++++
2013-04-15 01:31:47 +02:00
2018-08-13 21:54:14 +02:00
Yes! See our `services page <https://www.ansible.com/products/consulting> `_ for information on our services and training offerings. Email `info@ansible.com <mailto:info@ansible.com> `_ for further details.
2015-08-20 16:00:24 +02:00
2018-08-13 21:54:14 +02:00
We also offer free web-based training classes on a regular basis. See our `webinar page <https://www.ansible.com/resources/webinars-training> `_ for more info on upcoming webinars.
2013-04-15 01:31:47 +02:00
2018-06-22 16:40:29 +02:00
2013-10-04 19:27:19 +02:00
.. _web_interface:
Is there a web interface / REST API / etc?
++++++++++++++++++++++++++++++++++++++++++
2018-06-22 16:40:29 +02:00
Yes! Ansible, Inc makes a great product that makes Ansible even more powerful and easy to use. See :doc: `../reference_appendices/tower` .
2013-10-04 19:27:19 +02:00
.. _docs_contributions:
2013-04-15 01:31:47 +02:00
How do I submit a change to the documentation?
++++++++++++++++++++++++++++++++++++++++++++++
2017-04-23 09:47:03 +02:00
Great question! Documentation for Ansible is kept in the main project git repository, and complete instructions for contributing can be found in the docs README `viewable on GitHub <https://github.com/ansible/ansible/blob/devel/docs/docsite/README.md> `_ . Thanks!
2013-04-15 01:31:47 +02:00
2018-06-22 16:40:29 +02:00
2014-02-27 23:44:21 +01:00
.. _keep_secret_data:
How do I keep secret data in my playbook?
+++++++++++++++++++++++++++++++++++++++++
2018-02-13 16:23:55 +01:00
If you would like to keep secret data in your Ansible content and still share it publicly or keep things in source control, see :doc: `../user_guide/playbooks_vault` .
2014-02-27 23:44:21 +01:00
2017-11-22 05:14:27 +01:00
If you have a task that you don't want to show the results or command given to it when using -v (verbose) mode, the following task or playbook attribute can be useful::
2014-08-12 19:35:38 +02:00
- name: secret task
shell: /usr/bin/do_something --value={{ secret_value }}
no_log: True
This can be used to keep verbose output but hide sensitive information from others who would otherwise like to be able to see the output.
The no_log attribute can also apply to an entire play::
- hosts: all
no_log: True
Though this will make the play somewhat difficult to debug. It's recommended that this
2016-04-29 22:05:30 +02:00
be applied to single tasks only, once a playbook is completed. Note that the use of the
no_log attribute does not prevent data from being shown when debugging Ansible itself via
2017-09-01 23:52:18 +02:00
the :envvar: `ANSIBLE_DEBUG` environment variable.
2016-03-01 18:43:52 +01:00
.. _when_to_use_brackets:
.. _dynamic_variables:
.. _interpolate_variables:
2016-04-19 17:24:51 +02:00
When should I use {{ }}? Also, how to interpolate variables or dynamic variable names
2016-05-04 21:17:42 +02:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2016-03-01 18:43:52 +01:00
2017-12-07 15:25:46 +01:00
A steadfast rule is 'always use `` {{ }} `` except when `` when: `` '.
2016-03-01 18:43:52 +01:00
Conditionals are always run through Jinja2 as to resolve the expression,
2017-12-07 15:25:46 +01:00
so `` when: `` , `` failed_when: `` and `` changed_when: `` are always templated and you should avoid adding `` {{ }} `` .
2016-03-01 18:43:52 +01:00
2018-06-22 16:40:29 +02:00
In most other cases you should always use the brackets, even if previously you could use variables without specifying (like `` loop `` or `` with_ `` clauses), as this made it hard to distinguish between an undefined variable and a string.
2016-03-01 18:43:52 +01:00
2017-01-07 20:38:52 +01:00
Another rule is 'moustaches don't stack'. We often see this:
.. code-block :: jinja
2016-03-01 18:43:52 +01:00
2016-03-23 21:31:16 +01:00
{{ somevar_{{other_var}} }}
2016-03-01 18:43:52 +01:00
2018-06-22 16:40:29 +02:00
The above DOES NOT WORK as you expect, if you need to use a dynamic variable use the following as appropriate:
2017-01-07 20:38:52 +01:00
.. code-block :: jinja
2016-03-01 18:43:52 +01:00
2016-03-23 21:31:16 +01:00
{{ hostvars[inventory_hostname]['somevar_' + other_var] }}
2014-08-12 19:35:38 +02:00
2018-09-12 23:33:07 +02:00
For 'non host vars' you can use the :ref: `vars lookup<vars_lookup>` plugin:
2018-06-22 16:40:29 +02:00
.. code-block :: jinja
{{ lookup('vars', 'somevar_' + other_var) }}
.. _why_no_wheel:
2016-12-02 18:45:47 +01:00
Why don't you ship in X format?
+++++++++++++++++++++++++++++++
Several reasons, in most cases it has to do with maintainability, there are tons of ways to ship software and it is a herculean task to try to support them all.
2016-12-03 00:49:59 +01:00
In other cases there are technical issues, for example, for python wheels, our dependencies are not present so there is little to no gain.
2016-12-02 18:45:47 +01:00
2018-06-22 16:40:29 +02:00
2018-11-12 16:26:15 +01:00
.. _ansible_host_delegated:
How do I get the original ansible_host when I delegate a task?
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2018-12-04 21:44:29 +01:00
As the documentation states, connection variables are taken from the `` delegate_to `` host so `` ansible_host `` is overwritten,
but you can still access the original via `` hostvars `` ::
2018-11-12 16:26:15 +01:00
2018-12-04 21:44:29 +01:00
original_host: "{{ hostvars[inventory_hostname]['ansible_host'] }}"
2018-11-12 16:26:15 +01:00
This works for all overriden connection variables, like `` ansible_user `` , `` ansible_port `` , etc.
2019-04-18 04:02:09 +02:00
.. _scp_protocol_error_filename:
How do I fix 'protocol error: filename does not match request' when fetching a file?
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Newer releases of OpenSSH have a `bug <https://bugzilla.mindrot.org/show_bug.cgi?id=2966> `_ in the SCP client that can trigger this error on the Ansible controller when using SCP as the file transfer mechanism::
failed to transfer file to /tmp/ansible/file.txt\r\nprotocol error: filename does not match request
In these releases, SCP tries to validate that the path of the file to fetch matches the requested path.
The validation
fails if the remote filename requires quotes to escape spaces or non-ascii characters in its path. To avoid this error:
* Use SFTP instead of SCP by setting `` scp_if_ssh `` to `` smart `` (which tries SFTP first) or to `` False `` . You can do this in one of four ways:
* Rely on the default setting, which is `` smart `` - this works if `` scp_if_ssh `` is not explicitly set anywhere
* Set a :ref: `host variable <host_variables>` or :ref: `group variable <group_variables>` in inventory: `` ansible_scp_if_ssh: False ``
* Set an environment variable on your control node: `` export ANSIBLE_SCP_IF_SSH=False ``
* Pass an environment variable when you run Ansible: `` ANSIBLE_SCP_IF_SSH=smart ansible-playbook ``
* Modify your `` ansible.cfg `` file: add `` scp_if_ssh=False `` to the `` [ssh_connection] `` section
* If you must use SCP, set the `` -T `` arg to tell the SCP client to ignore path validation. You can do this in one of three ways:
* Set a :ref: `host variable <host_variables>` or :ref: `group variable <group_variables>` : `` ansible_scp_extra_args=-T `` ,
* Export or pass an environment variable: `` ANSIBLE_SCP_EXTRA_ARGS=-T ``
* Modify your `` ansible.cfg `` file: add `` scp_extra_args=-T `` to the `` [ssh_connection] `` section
.. note :: If you see an `` invalid argument `` error when using `` -T `` , then your SCP client is not performing filename validation and will not trigger this error.
2017-12-07 15:25:46 +01:00
.. _i_dont_see_my_question:
2016-12-02 18:45:47 +01:00
2013-04-15 01:31:47 +02:00
I don't see my question here
++++++++++++++++++++++++++++
2014-01-28 17:04:34 +01:00
Please see the section below for a link to IRC and the Google Group, where you can ask your question there.
2013-04-15 01:31:47 +02:00
2013-10-05 18:31:16 +02:00
.. seealso ::
2018-02-13 16:23:55 +01:00
:doc: `../user_guide/playbooks`
2013-10-05 18:31:16 +02:00
An introduction to playbooks
2018-02-13 16:23:55 +01:00
:doc: `../user_guide/playbooks_best_practices`
2013-10-05 18:31:16 +02:00
Best practices advice
2018-07-21 15:48:47 +02:00
`User Mailing List <https://groups.google.com/group/ansible-project> `_
2013-10-05 18:31:16 +02:00
Have a question? Stop by the google group!
`irc.freenode.net <http://irc.freenode.net> `_
#ansible IRC chat channel