You can export ANSIBLE_FORCE_COLOR=TRUE if you have AnsiColor plugin installed in your jenkins you will see the colours in the Console output of your jobs. Jon
On Friday, September 8, 2017 at 9:13:54 AM UTC+1, Dave Cottlehuber wrote: > > On Sat, 2 Sep 2017, at 06:17, manne shiva kumar wrote: > > Hi Kiran, > > > > Am having the same issue.. could you please help me in resolving this.. > > > > On Thursday, February 4, 2016 at 3:02:04 PM UTC+5:30, Javier Palacios > > wrote: > > > > > > With the setup you describe, you have basically two jenkins-aware > options. > > > One, which is closer to what you are currently making, is to give ssh > > > permission from jenkins to ansible servers. In that case you will need > also > > > one of the plugins that allows Jenkins to execute ssh commands in a > > > different node (ssh-plugin or similar one) and use it instead of > standard > > > shell command box, _but_ the remote node has no access to whatever > lives at > > > the jenkins server, and will only access whatever exists at the > ansible > > > server unless you explicitly copy it (it's just ssh after all). The > second > > > approach which is the one that will probably behave as you expect, is > to > > > make the ansible server a Jenkins slave, and configure all ansible > jobs to > > > be executed in that slave with standard shell command box, you can > drop the > > > ssh stuff and run the slave as a user capable to run ansible, but > security > > > implications are not actually higher than giving ssh access (except > maybe > > > firewall ports). In this setup the workspace lives at the ansible > (slave) > > > server, but it is transparent to you because everything else is stored > at > > > jenkins (master) server. > > > I've just dealt with this last week. With the caveat that every time I > use Jenkins I feel like I've been assaulted by aliens, here's the only > solution I found that actually worked: > > - the jenkins slave has a passwordless ssh key provided to it that > *only* enables ssh to the ansible box. It cannot be used elsewhere in > the infrastructure. The key lives in $HOME of the jenkins user - > $HOME/.ssh/id_ed25519 (or id_rsa whatever key you use) as putting the > private key directly into the Jenkins config did not work. > > ssh-keygen -o -t ed25519 -f /home/jenkins/.ssh/id_ed25519 > "[email protected] <javascript:>" > > - the ansible server has an authorized_keys file that restricts the > above key to run a pre-selected command and 1 parameter > > # /home/ansible/.ssh/authorized_keys > command="/home/ansible/src/ansible/jenkins.sh > $SSH_ORIGINAL_COMMAND",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty > > > ssh-ed25519 <pubkey> [email protected] <javascript:> > > - the jenkins job calls ssh and passes in 1 parameter which will be > provided to ansible > > # Jenkinsfile > > stage('Deploy') { > steps { > echo 'Deploy step ...' > script { > switch(env.BRANCH_NAME){ > case "master" : sh 'ssh [email protected] <javascript:> > production' > case "develop" : sh 'ssh [email protected] <javascript:> > develop' > default : echo "... ignored in this branch" > } > } > } > > - this is the script spawned by ssh > > # /home/ansible/src/ansible/jenkins.sh > #!/bin/sh -xe > # restricted command for ssh to run ansible via make targets > cd /home/ansible/src/ansible > case $1 in > production) make production ;; > development) make development ;; > esac > > - there is a Makefile in the root of the ansible dir that picks up the > parameter and uses it as a makefile target > > # /home/ansible/src/ansible/Makefile > > clean:: > @git reset --hard > @git clean -fdx > @git pull --ff-only > > production:: clean > ansible-playbook app.yml --limit prod,lb --diff > > There is also an ssh_config and ansible.cfg files that specify ports, > private key to use, and a few other useful parameters. > > There are a few things you can do to tighten security, making sure that > there is no way for jenkins to do anything other than ssh in and run > make. > > - make jenkins.sh immutable > - move the authorized_keys file to somewhere like /etc/ssh/ to ensure > the command cannot be trimmed > - find a better way to handle the ansible-side ssh key. I use > hashicorp's vault here to handle that but thats a story for another day > - get the jenkins hashicorp plug to work, it doesn't for me > > I'd really like to tell ansible to display output in ANSI colour even > though its running as a background task. > > A+ > Dave > > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/9071afad-f29e-4e88-8967-5bc8c5853e73%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
