752c40464f
* Add docs/docsite/rst/reference_appendices/general_precedence.rst
Co-Authored-By: Sandra McCann <samccann@redhat.com>
(cherry picked from commit c2469648e4
)
158 lines
6.1 KiB
Django/Jinja
158 lines
6.1 KiB
Django/Jinja
.. _ansible_configuration_settings:
|
|
|
|
{% set name = 'Ansible Configuration Settings' -%}
|
|
{% set name_slug = 'config' -%}
|
|
|
|
{% set name_len = name|length + 0-%}
|
|
{{ '=' * name_len }}
|
|
{{name}}
|
|
{{ '=' * name_len }}
|
|
|
|
Ansible supports several sources for configuring its behavior, including an ini file named ``ansible.cfg``, environment variables, command-line options, playbook keywords, and variables. See :ref:`general_precedence_rules` for details on the relative precedence of each source.
|
|
|
|
The ``ansible-config`` utility allows users to see all the configuration settings available, their defaults, how to set them and
|
|
where their current value comes from. See :ref:`ansible-config` for more information.
|
|
|
|
.. _ansible_configuration_settings_locations:
|
|
|
|
The configuration file
|
|
======================
|
|
|
|
Changes can be made and used in a configuration file which will be searched for in the following order:
|
|
|
|
* ``ANSIBLE_CONFIG`` (environment variable if set)
|
|
* ``ansible.cfg`` (in the current directory)
|
|
* ``~/.ansible.cfg`` (in the home directory)
|
|
* ``/etc/ansible/ansible.cfg``
|
|
|
|
Ansible will process the above list and use the first file found, all others are ignored.
|
|
|
|
.. note::
|
|
|
|
The configuration file is one variant of an INI format.
|
|
Both the hash sign (``#``) and semicolon (``;``) are allowed as
|
|
comment markers when the comment starts the line.
|
|
However, if the comment is inline with regular values,
|
|
only the semicolon is allowed to introduce the comment.
|
|
For instance::
|
|
|
|
# some basic default values...
|
|
inventory = /etc/ansible/hosts ; This points to the file that lists your hosts
|
|
|
|
|
|
.. _cfg_in_world_writable_dir:
|
|
|
|
Avoiding security risks with ``ansible.cfg`` in the current directory
|
|
---------------------------------------------------------------------
|
|
|
|
|
|
If Ansible were to load ``ansible.cfg`` from a world-writable current working
|
|
directory, it would create a serious security risk. Another user could place
|
|
their own config file there, designed to make Ansible run malicious code both
|
|
locally and remotely, possibly with elevated privileges. For this reason,
|
|
Ansible will not automatically load a config file from the current working
|
|
directory if the directory is world-writable.
|
|
|
|
If you depend on using Ansible with a config file in the current working
|
|
directory, the best way to avoid this problem is to restrict access to your
|
|
Ansible directories to particular user(s) and/or group(s). If your Ansible
|
|
directories live on a filesystem which has to emulate Unix permissions, like
|
|
Vagrant or Windows Subsystem for Linux (WSL), you may, at first, not know how
|
|
you can fix this as ``chmod``, ``chown``, and ``chgrp`` might not work there.
|
|
In most of those cases, the correct fix is to modify the mount options of the
|
|
filesystem so the files and directories are readable and writable by the users
|
|
and groups running Ansible but closed to others. For more details on the
|
|
correct settings, see:
|
|
|
|
* for Vagrant, Jeremy Kendall's `blog post <http://jeremykendall.net/2013/08/09/vagrant-synced-folders-permissions/>`_ covers synced folder permissions.
|
|
* for WSL, the `WSL docs <https://docs.microsoft.com/en-us/windows/wsl/wsl-config#set-wsl-launch-settings>`_
|
|
and this `Microsoft blog post <https://blogs.msdn.microsoft.com/commandline/2018/01/12/chmod-chown-wsl-improvements/>`_ cover mount options.
|
|
|
|
If you absolutely depend on storing your Ansible config in a world-writable current
|
|
working directory, you can explicitly specify the config file via the
|
|
:envvar:`ANSIBLE_CONFIG` environment variable. Please take
|
|
appropriate steps to mitigate the security concerns above before doing so.
|
|
|
|
|
|
Relative paths for configuration
|
|
--------------------------------
|
|
|
|
You can specify a relative path for many configuration options. In most of
|
|
those cases the path used will be relative to the ``ansible.cfg`` file used
|
|
for the current execution. If you need a path relative to your current working
|
|
directory (CWD) you can use the ``{%raw%}{{CWD}}{%endraw%}`` macro to specify
|
|
it. We do not recommend this approach, as using your CWD as the root of
|
|
relative paths can be a security risk. For example:
|
|
``cd /tmp; secureinfo=./newrootpassword ansible-playbook ~/safestuff/change_root_pwd.yml``.
|
|
|
|
|
|
Common Options
|
|
==============
|
|
|
|
This is a copy of the options available from our release, your local install might have extra options due to additional plugins,
|
|
you can use the command line utility mentioned above (`ansible-config`) to browse through those.
|
|
|
|
{% if config_options %}
|
|
|
|
|
|
{% for config_option in config_options|sort %}
|
|
{% set config_len = config_option|length -%}
|
|
{% set config = config_options[config_option] %}
|
|
.. _{{config_option}}:
|
|
|
|
{{config_option}}
|
|
{{ '-' * config_len }}
|
|
|
|
{% if config['description'] and config['description'] != [''] %}
|
|
{% if config['description'] != ['TODO: write it'] %}
|
|
:Description: {{' '.join(config['description'])}}
|
|
{% endif %}
|
|
{% endif %}
|
|
{% if config['type'] %}
|
|
:Type: {{config['type']}}
|
|
{% endif %}
|
|
:Default: {{config['default']}}
|
|
{% if config['version_added'] %}
|
|
:Version Added: {{config['version_added']}}
|
|
{% endif %}
|
|
{% for ini_map in config['ini']|sort(attribute='section') %}
|
|
:Ini Section: {{ini_map['section']}}
|
|
:Ini Key: {{ini_map['key']}}
|
|
{% endfor %}
|
|
{% for env_var_map in config['env']|sort(attribute='name') %}
|
|
:Environment: :envvar:`{{env_var_map['name']}}`
|
|
{% endfor %}
|
|
{% if config['deprecated'] %}
|
|
:Deprecated in: {{config['deprecated']['version']}}
|
|
:Deprecated detail: {{config['deprecated']['why']}}
|
|
:Deprecated alternatives: {{config['deprecated']['alternatives']}}
|
|
{% endif %}
|
|
|
|
{% endfor %}
|
|
|
|
Environment Variables
|
|
=====================
|
|
|
|
.. envvar:: ANSIBLE_CONFIG
|
|
|
|
|
|
Override the default ansible config file
|
|
|
|
|
|
{% for config_option in config_options %}
|
|
{% for env_var_map in config_options[config_option]['env'] %}
|
|
.. envvar:: {{env_var_map['name']}}
|
|
|
|
{% if config_options[config_option]['description'] and config_options[config_option]['description'] != [''] %}
|
|
{% if config_options[config_option]['description'] != ['TODO: write it'] %}
|
|
{{ ''.join(config_options[config_option]['description']) }}
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
See also :ref:`{{config_option}} <{{config_option}}>`
|
|
|
|
{% endfor %}
|
|
|
|
{% endfor %}
|
|
|
|
{% endif %}
|