Thanks a lot Mohan for your help. Thanks & Regards
Rajendra Rawat On Wed, 31 Oct 2018 at 13:37, Mohan L <[email protected]> wrote: > > You can create a directory called 'all' under your playbook group_vars > directory and use 'all' in your ad hoc command. This way the variables > applied to all the host defined in myhostfile in my example. > > # tree -L 3 /etc/ansible/group_vars > > /etc/ansible/group_vars > > `-- all > > `-- secrets.yml > > > # ansible -i /etc/ansible/myhostfile all -m file -a "dest=/tmp/hello > mode=755 state=directory" -u root --ask-vault-pass > > Vault password: > > localhost | SUCCESS => { > > "changed": false, > > "gid": 0, > > "group": "root", > > "mode": "0755", > > "owner": "root", > > "path": "/tmp/hello", > > "secontext": "unconfined_u:object_r:user_tmp_t:s0", > > "size": 6, > > "state": "directory", > > "uid": 0 > > } > > > Have a look at ansible inventory: > > https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html > > *https://www.digitalocean.com/community/tutorials/how-to-manage-multistage-environments-with-ansible#ansible-recommended-strategy-using-groups-and-multiple-inventories > <https://www.digitalocean.com/community/tutorials/how-to-manage-multistage-environments-with-ansible#ansible-recommended-strategy-using-groups-and-multiple-inventories>* > > > > On Wednesday, October 31, 2018 at 11:52:29 AM UTC+5:30, Rajendra Rawat > wrote: >> >> It is working for me now. thanks for the explaining it in detailed. >> it is working for for me after creating the group into >> /etc/ansible/group_var >> >> I have a doubt, can we achieve the same functionality without creating >> vault file with same group name which we given in inventory file into >> /etc/ansible/group_var/? >> >> >> Thanks & Regards >> >> Rajendra Rawat >> >> >> On Tue, 30 Oct 2018 at 17:06, Mohan L <[email protected]> wrote: >> >>> >>> >>> I have already given you example. You can see If you closely read my >>> first replay to this thread. Ansible vault works the same way for both >>> ansible-playbook and ansible command. What ever documented for >>> ansible-playbook also work with ansible ad hoc if you use vault. You have >>> spend some time to learn it. Every thing documented well. >>> >>> Here is the step by step example: >>> >>> 1). Create a directory group_vars >>> >>> >>> # mkdir -p /etc/ansible/group_vars >>> >>> >>> 2). Create a variable file with your server user name and password. >>> Please note this is the username and password which your ansible ad hoc >>> command going to use to login to your target machine. >>> >>> >>> # vim /etc/ansible/group_vars/myservers.yml >>> >>> >>> --- >>> ansible_user: root >>> ansible_ssh_pass: toor >>> >>> >>> Save the file with above two variables. You have to change your target >>> machine username and password. >>> >>> >>> 3). My sample file looks like below after step 2. >>> >>> >>> # cat /etc/ansible/group_vars/myservers.yml >>> --- >>> ansible_user: root >>> ansible_ssh_pass: toor >>> >>> >>> >>> >>> 4). *Encrypt the */etc/ansible/group_vars/myservers.yml file. >>> The ansible-vault command will prompt you for a password twice (a second >>> time to confirm the first). Once that's done, the file will be encrypted! >>> If you edit the file directly, you'll just see encrypted text. >>> >>> >>> # ansible-vault encrypt /etc/ansible/group_vars/myservers.yml >>> >>> New Vault password: >>> Confirm New Vault password: >>> Encryption successful >>> >>> >>> >>> NOTE: You have to use this password with ansible ad hoc command. In my >>> case I used ‘test123’ as password. >>> >>> >>> 5). You will need to make inventory files for Ansible. An inventory file >>> lists hosts which you would like to manage and the groups they belong to. >>> I’ve created inventory file called ‘myhostfile’ >>> >>> >>> # vim /etc/ansible/myhostfile >>> [myserver] >>> localhost >>> >>> >>> >>> NOTE: Here ‘myserver’ is group name and I have only one host which is my >>> local machine. You need to change localhost to your target machine hostname >>> or IP address. If you closely notice my group name is ‘myserver’ and vault >>> file under group_vars directory also same. >>> >>> >>> 6). Now run your ansible ad hoc command. Here is one ad hoc command >>> which will create a file /tmp/hello on the target machine. >>> >>> >>> >>> # ansible -i /etc/ansible/myhostfile myservers -m file -a >>> "dest=/tmp/hello mode=755 state=directory" -u root --ask-vault-pass >>> >>> Vault password: >>> >>> localhost | SUCCESS => { >>> >>> "changed": false, >>> >>> "gid": 0, >>> >>> "group": "root", >>> >>> "mode": "0755", >>> >>> "owner": "root", >>> >>> "path": "/tmp/hello", >>> >>> "secontext": "unconfined_u:object_r:user_tmp_t:s0", >>> >>> "size": 6, >>> >>> "state": "directory", >>> >>> "uid": 0 >>> >>> } >>> >>> >>> >>> NOTE: I used —ask-vault-pass which will prompt you vault password. In my >>> case it is ‘test123’ which I used to decrypt the file. Please refer step 4. >>> >>> >>> You can also save the password in file and pass with --vault >>> -password-file >>> >>> >>> >>> >>> Hope it help you. If you still have problem then you have to send more >>> details about what exactly you are doing. >>> >>> >>> >>> On Tuesday, October 30, 2018 at 11:39:52 AM UTC+5:30, Rajendra Rawat >>> wrote: >>>> >>>> I have gone through the link shared by you but there is no where is it >>>> using the vault for ad hoc command. It is using it for playbook. >>>> >>>> Request you to please share a example of ping module as I did in >>>> my previous email that would be helpful understanding it. >>>> >>>> ad-hoc command: >>>> >>>> ansible <hostname> -m ping <what_next?> >>>> >>>> Please note sshkey is not setup on target host. >>>> >>>> >>>> Thanks & Regards >>>> >>>> Rajendra Rawat >>>> >>>> >>>> On Tue, 30 Oct 2018 at 08:21, Mohan L <[email protected]> wrote: >>>> >>>>> >>>>> You have to pass vault password to ansible command not vault file >>>>> itself. Vault file stores your secrets/variables in encrypted format and >>>>> vault password is used decrypt it. Pass vault password to ansible command. >>>>> >>>>> >>>>> You have read this doc: >>>>> https://docs.ansible.com/ansible/2.7/user_guide/vault.html >>>>> >>>>> Take a look at the below link as well: >>>>> >>>>> https://serversforhackers.com/c/how-ansible-vault-works >>>>> >>>>> >>>>> https://zaiste.net/ansible_vault_storing_sensitive_data_as_encrypted_variables/ >>>>> >>>>> >>>>> If your roles or playbooks reference encrypted variables, you need to >>>>> have give Ansible the password to decrypt them. Prior Ansible 2.4, You can >>>>> do this in two ways: >>>>> >>>>> >>>>> 1). Using the --ask-vault-pass flag will instruct Ansible to ask for >>>>> the vault password so it can decrypt the variable files correctly. >>>>> >>>>> >>>>> 2). Using —vault-password-file flag will instruct Ansible to reference >>>>> vault password from file. Ansible playbook use the password with in the >>>>> reference file to decrypt vault file. >>>>> >>>>> >>>>> Since Ansible 2.4, there is way to provide a vault password is to use >>>>> the --vault-id option as well. This allow vault files or vars that >>>>> are encrypted with different passwords can be used at the same time. If >>>>> your roles or playbooks reference encrypted variables, you need to have >>>>> give Ansible the password to decrypt them. Prior Ansible 2.4, You can do >>>>> this in two ways: >>>>> >>>>> >>>>> 1). Using the --ask-vault-pass flag will instruct Ansible to ask for >>>>> the vault password so it can decrypt the variable files correctly. >>>>> >>>>> >>>>> 2). Using —vault-password-file flag will instruct Ansible to reference >>>>> vault password from file. Ansible playbook use the password with in the >>>>> reference file to decrypt vault file. >>>>> >>>>> >>>>> Since Ansible 2.4, there is way to provide a vault password is to use >>>>> the --vault-id option as well. This allow vault files or vars that >>>>> are encrypted with different passwords can be used at the same time. That >>>>> what Andrew was mentioned on his post. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Tuesday, October 30, 2018 at 1:04:03 AM UTC+5:30, Rajendra Rawat >>>>> wrote: >>>>>> >>>>>> Hi Mohan, >>>>>> >>>>>> I tried running ad-hoc command as you suggested but it is not working >>>>>> >>>>>> ansible <target_hostname> -m ping -u <targer_vm_username> >>>>>> --vault-password-file <secret_file> >>>>>> >>>>>> where "secret_file" was created with password of <targer_vm_username> >>>>>> ansible-vault create secret_file >>>>>> cat secret_file >>>>>> <password> >>>>>> >>>>>> Output: >>>>>> [WARNING]: Error in vault password file loading (default): A vault >>>>>> password must be specified to decrypt data >>>>>> ERROR! A vault password must be specified to decrypt data >>>>>> >>>>>> Am i doing something wrong? >>>>>> >>>>>> >>>>>> Thanks & Regards >>>>>> >>>>>> Rajendra Rawat >>>>>> >>>>>> >>>>>> On Mon, 29 Oct 2018 at 21:19, Mohan L <[email protected]> wrote: >>>>>> >>>>>>> Do you have any problem using vault with ad-hoc?? >>>>>>> >>>>>>> Here is a example of how it works. >>>>>>> >>>>>>> I have a vault secret file under group_vars like below. You have to >>>>>>> use ansible-vault create. >>>>>>> >>>>>>> # ansible-vault view group_vars/myserver.yml >>>>>>> >>>>>>> Vault password: >>>>>>> >>>>>>> --- >>>>>>> >>>>>>> ansible_user: root >>>>>>> >>>>>>> ansible_ssh_pass: password1 >>>>>>> >>>>>>> >>>>>>> I have my vault password stored in file which look like below: >>>>>>> >>>>>>> # cat vault_key >>>>>>> >>>>>>> myvault@pass >>>>>>> >>>>>>> >>>>>>> I am using ad-hoc command like below and it works. What is your >>>>>>> problem? >>>>>>> >>>>>>> # ansible myserver -m file -a "dest=/tmp/hello mode=755 >>>>>>> state=directory" -u root --vault-password-file vault_key >>>>>>> >>>>>>> localhost | SUCCESS => { >>>>>>> >>>>>>> "changed": false, >>>>>>> >>>>>>> "gid": 0, >>>>>>> >>>>>>> "group": "root", >>>>>>> >>>>>>> "mode": "0755", >>>>>>> >>>>>>> "owner": "root", >>>>>>> >>>>>>> "path": "/tmp/hello", >>>>>>> >>>>>>> "secontext": "unconfined_u:object_r:user_tmp_t:s0", >>>>>>> >>>>>>> "size": 6, >>>>>>> >>>>>>> "state": "directory", >>>>>>> >>>>>>> "uid": 0 >>>>>>> >>>>>>> } >>>>>>> >>>>>>> >>>>>>> Thanks >>>>>>> Mohan L >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Monday, October 29, 2018 at 6:30:56 PM UTC+5:30, Rajendra Rawat >>>>>>> wrote: >>>>>>>> >>>>>>>> Hi All, >>>>>>>> >>>>>>>> Is it possible to use ansible-vault with ad-hoc commands. >>>>>>>> Use case: I have not setup ssh key and I want to use ping module on >>>>>>>> target machine. >>>>>>>> >>>>>>>> normal way if we have setup sshkey or pass the text password >>>>>>>> 1: ansible <target_hostname> -m ping [if ssh key configured] >>>>>>>> 2: ansible <target_hostname> -m ping --extra-vars >>>>>>>> "ansible_user=<username> ansible_password=<password>" >>>>>>>> >>>>>>>> But I want to do this with ansible-vault. >>>>>>>> Is it possible ? any help would be appreciated. >>>>>>>> >>>>>>>> Thanks & Regards >>>>>>>> >>>>>>>> Rajendra Rawat >>>>>>>> >>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "Ansible Project" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> To post to this group, send email to [email protected]. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/d/msgid/ansible-project/7f859c16-ee20-42fc-9ec4-fa57befbff92%40googlegroups.com >>>>>>> <https://groups.google.com/d/msgid/ansible-project/7f859c16-ee20-42fc-9ec4-fa57befbff92%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Ansible Project" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To post to this group, send email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/ansible-project/39ba802f-c34d-4a70-b5a1-9e21f8e883d3%40googlegroups.com >>>>> <https://groups.google.com/d/msgid/ansible-project/39ba802f-c34d-4a70-b5a1-9e21f8e883d3%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/ff338a3b-83d4-4318-898a-f0dfaa7a5f0f%40googlegroups.com >>> <https://groups.google.com/d/msgid/ansible-project/ff338a3b-83d4-4318-898a-f0dfaa7a5f0f%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/36f52063-8209-498a-a8e8-73d9ab2128e5%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/36f52063-8209-498a-a8e8-73d9ab2128e5%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAGvnwVH8DzxaqNC1LUau0f235O%3DQFo_bbmC_Re%3D6srFfepsd0g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
