[ansible-project] Re: Encrypted SSH Key leads to Invalid format

[Dan Linder]

Can you provide a minimal Ansible playbook with a vaulted variable file to 
see if we can recreate it or see anything amiss?

The error message you're showing states "root @ SOME_IP: Permission denied 
(publickey,password)" which doesn't seem to be ansible-vault related.

On Sunday, October 2, 2022 at 6:15:34 AM UTC-5 jer...@gmail.com wrote:

> I'm using in inventory/group_vars/all.yaml:
> 
> *ansible_ssh_private_key_file: '{{inventory_dir}}/group_vars/path/to/key'*
>
> This Key is working well when it's plain text
> When I encrypt the file with ansible-vault, i get the error:
>
>
>
> *Load key 
> "/home/user/projects/ansible/inventory/group_vars/path/to/key": invalid 
> formatroot @ SOME_IP: Permission denied (publickey,password).  
> unreachable: true*
>
> I am using $*ANSIBLE_VAULT_PASSWORD_FILE *to decrypt everything without 
> asking for password.
> I have other encrypted secrets in all.yaml that get decrypted.
>
> What am I missing ?
>
> Thanks!
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/5635aeb8-5db3-4e28-a8eb-8a5ea2f98640n%40googlegroups.com.

[ansible-project] Re: Run playbook against multiple hosts with different variables

[Dan Linder]

Do you have an inventory file setup that has "server01" and "server02" 
setup in group(s)?  For instance, instead of running the two examples 
above, setup an inventory file with both servers listed:

# inventory.ini
server01
server02

Then run your playbook like this:
ansible-playbook playbooks/newonpremserver.yml -i inventory.ini -

Your playbook will run on both 01 and 02 at the same time.  If you have 
"server01" through "server99", then just add them to the inventory file and 
the playbook will run on all of them in parallel.
On Wednesday, March 2, 2022 at 9:34:43 AM UTC-6 Nitrous wrote:

> So, we build alot of servers with different specs, and our YAML file 
> variables for the build specs differ (like different CPU/RAM/HDD etc) , but 
> the playbooks remain the same.
>
> Currently, to run multiple builds concurrently, I have to open new ssh 
> session to the Ansible server everytime and run the builds for each server 
> using:
>
> So first ssh session will run the build for the firsr server like this: 
> ansible-playbook playbooks/newonpremserver.yml -e "hostname=server01" -
>
> Second ssh session will run the build for the second server like this: 
> ansible-playbook playbooks/newonpremserver.yml -e "hostname=server02" -
>
> and so on..
>
> Please suggest a better way to run builds concurrently.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/92bb3b1d-c7e8-4d79-82c2-e3e7c56566b2n%40googlegroups.com.

Re: [ansible-project] The "mount' module and adding a mount option

[Dan Linder]

Thanks, I'll give that a shot.

I don't like the "explicitly sets all the flags that are reported by 
ansible_mount" feature either so I might have to think about this more.

I guess I could note which mounts are missing "nodev", then use the 
lineinfile: to rewrite the affected /etc/fstab lines and add the "nodev" 
flag.  (That's about 33% serious, 66% tongue-in-cheek...)

Something like:

  - name: "Setup some of the mount flag variables"
set_fact:
  mount_flags:
  - 'nodev'
  - 'noexec'
  mount_point:
  - 'mount01'
  - 'mount02'

  - name: "Ensure mount flags are set"
lineinfile:
 path: /etc/fstab2
 regexp: '(\S+\s+\S*/tmp/mounts/{{ item.0 
}}\S*\s+\S+\s+)(\S+)(\s+\S+\s+\S+)'
 line: '\1\2,{{ item.1 }}\3'
 backrefs: yes
 backup: yes
when: "'{{ item.1 }}' not in (ansible_mounts|selectattr('mount', 
'equalto', '/tmp/mounts/' ~ item.0)).0.options"
loop: "{{ mount_point|product(mount_flags)|list }}"
# NOTE: item.0 are the 'mount_point' entries, and item.1 are the 
'mount_flags' entries.

Now I know it *can* be done, but *should* it be done...or will this end up 
being a playbook that *only* I can support at 3AM...   :-/

Dan
On Tuesday, January 18, 2022 at 6:20:04 AM UTC-6 dick@geant.org wrote:

> You don't have to split the opts by comma, just checking if 'nodev' is 
> enough.
> If it isn't there, you can then append it:
>
>
>   - name: "Add nodev to /tmp/mounts/mount*"
> mount:
>   path: '/tmp/mounts/{{ item }}'
>   src: '/tmp/{{ item }}'
>   fstype: xfs
>   opts: '{{ (ansible_mounts|selectattr('mount', 'equalto', 
> '/tmp/mounts/' ~ item)).0.options }},nodev"
>
>   state: present
>   passno: '0'
>   dump: '0'
>   backup: yes
> with_items:
> - mount01
> - mount02
> when: "'nodev' not in (ansible_mounts|selectattr('mount', 'equalto', 
> '/tmp/mounts/' ~ item)).0.options"
>
> The only thing with this approach is that it explicitly sets all the flags 
> that are reported by ansible_mounts - but this might be a good idea anyway.
>
> Dick
>
>
> On Tue, 18 Jan 2022 at 03:47, Dan Linder  wrote:
>
>> I've got a variety of mounts that I want to ensure specific flags are set 
>> on each.  For other reasons, the mounts don't have the same flags.
>>
>> I mistakenly thought the 'mount' module would ensure each had the flag, 
>> but instead it set the flags of the mount to ONLY the 'opts' parameter.
>>
>> For instance, I have a test system with these two mounts:
>> /tmp/mount01 /tmp/mounts/mount01 xfs defaults,*noatime,nodev *0 0
>> /tmp/mount02 /tmp/mounts/mount02 xfs defaults,*relatime,noexec *0 0
>>
>> Note the changes in the mount options.
>>
>> I setup this play in a playbook:
>>   - name: "Add nodev to /tmp/mounts/mount*"
>> mount:
>>   path: '/tmp/mounts/{{ item }}'
>>   src: '/tmp/{{ item }}'
>>   fstype: xfs
>>   opts: 'nodev'
>>   state: present
>>   passno: '0'
>>   dump: '0'
>>   backup: yes
>> with_items:
>> - mount01
>> - mount02
>>
>> But ended up getting the mounts (in /etc/fstab) like this:
>> /tmp/mount01 /tmp/mounts/mount01 xfs *nodev* 0 0
>> /tmp/mount02 /tmp/mounts/mount02 xfs *nodev* 0 0
>>
>> Since I'm 'gathering_facts', I thought I could use the 'ansible_mounts' 
>> list, but the options are just a simple string:
>>{
>> ...
>>"fstype": "xfs",
>> ...
>>"mount": "/tmp/mounts/mount01",
>>"options": "rw,seclabel,nodev,noatime,attr2,inode64,noquota",
>> ...
>>}
>>
>> In a much more complex playbook, I have pulled out the individual 
>> 'options' parameters and could append the new 'opts' parameters to each - 
>> but that ends up doing a simple appending which ends up in the /etc/fstab 
>> file so each run adds another value.
>>
>> *My question: *Is there a simpler way that I'm overlooking to ensure 
>> that 'nodev' - or any single parameter is provided to 'opts' - is in each 
>> mount without having to define the entier (and potentially unique) 'opts' 
>> string for each mount?
>>
>> If the 'options' within the 'gather_facts' was also a list, then adding 
>> the 'nodev' element wouldn't lead to the duplication issue...  If the 
>> 'mount' 'opts' parameter took a list, then it would be possible to convert 
>> the CSV string to a list, then append the single 'opt' to the list.
>>
>> -- 
>> You 

[ansible-project] The "mount' module and adding a mount option

[Dan Linder]

I've got a variety of mounts that I want to ensure specific flags are set 
on each.  For other reasons, the mounts don't have the same flags.

I mistakenly thought the 'mount' module would ensure each had the flag, but 
instead it set the flags of the mount to ONLY the 'opts' parameter.

For instance, I have a test system with these two mounts:
/tmp/mount01 /tmp/mounts/mount01 xfs defaults,*noatime,nodev *0 0
/tmp/mount02 /tmp/mounts/mount02 xfs defaults,*relatime,noexec *0 0

Note the changes in the mount options.

I setup this play in a playbook:
  - name: "Add nodev to /tmp/mounts/mount*"
mount:
  path: '/tmp/mounts/{{ item }}'
  src: '/tmp/{{ item }}'
  fstype: xfs
  opts: 'nodev'
  state: present
  passno: '0'
  dump: '0'
  backup: yes
with_items:
- mount01
- mount02

But ended up getting the mounts (in /etc/fstab) like this:
/tmp/mount01 /tmp/mounts/mount01 xfs *nodev* 0 0
/tmp/mount02 /tmp/mounts/mount02 xfs *nodev* 0 0

Since I'm 'gathering_facts', I thought I could use the 'ansible_mounts' 
list, but the options are just a simple string:
   {
...
   "fstype": "xfs",
...
   "mount": "/tmp/mounts/mount01",
   "options": "rw,seclabel,nodev,noatime,attr2,inode64,noquota",
...
   }

In a much more complex playbook, I have pulled out the individual 'options' 
parameters and could append the new 'opts' parameters to each - but that 
ends up doing a simple appending which ends up in the /etc/fstab file so 
each run adds another value.

*My question: *Is there a simpler way that I'm overlooking to ensure that 
'nodev' - or any single parameter is provided to 'opts' - is in each mount 
without having to define the entier (and potentially unique) 'opts' string 
for each mount?

If the 'options' within the 'gather_facts' was also a list, then adding the 
'nodev' element wouldn't lead to the duplication issue...  If the 'mount' 
'opts' parameter took a list, then it would be possible to convert the CSV 
string to a list, then append the single 'opt' to the list.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/f65e34d2-2b8c-4bc8-bc34-6f3eddf44be1n%40googlegroups.com.

[ansible-project] Re: Ansible and SELinux Issues

[Dan Linder]

 

In my environment, I found that we had to add the “remote_tmp” variable and 
make it unique per user.  I think you’re running into the same thing if you 
look at the error message from that point of view:

Permission denied:

unix_listener: *cannot bind to path: /root*/.ansible/cp/

 

If it’s the same issue I experienced, adding this to my user (or service 
account) “.ansible.cfg” file helped:

[defaults]

remote_tmp = /tmp/ansible.${USER}

And yes, that is a literal "${USER}" in the path - when the remote machine 
sets the variable it is expanded to the user account that Ansible connected 
as.

Dan

On Monday, December 6, 2021 at 8:59:26 AM UTC-6 Ryan P wrote:

> Hi all,
>
> My Ansible server has lost the ability to login to any of my hosts (itself 
> included) and I am hoping others have had a similar issue.
>
> The server in question is a RHEL7 server that is required to be configured 
> according to the DISA STIG. In particular, after 
> implementing RHEL-07-020023 - which requires administrative groups in 
> sudoers to have the sysadm_r and sysadm_t role applied, Ansible completely 
> loses its ability to log into the hosts. The error is as follows:
>
> Permission denied:
> unix_listener: cannot bind to path: /root/.ansible/cp/ characters>
>
> When switching back to unconfined_r and unconfined_t, Ansible works as 
> expected. 
>
> Unfortunately I'm not able to dispute with my security department as to 
> why the sysadm context is a just a drunken version of the unconfined 
> context, so if anyone has any suggestions I would be extremely grateful. 
>
> - Ryan P
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/0d8a2ac4-8b3a-45b3-80d3-a4537e36260cn%40googlegroups.com.

Re: [ansible-project] Stouck in Ansible

[Dan Linder]

Abdul,

If you're stuck as to how to ask the question, the StackOverflow "How do I 
ask a good question?" is a good reference. 

https://stackoverflow.com/help/how-to-ask

Dan

On Monday, July 19, 2021 at 2:51:02 AM UTC-5 dick@geant.org wrote:

> This is almost zero information to help you with. Please provide more 
> details. 
>
> On Mon, 19 Jul 2021 at 09:15, Abdul Waheed Khan  
> wrote:
>
>> Hi everyone,
>> i am new in this forum . i am configuring ansible (tyk-ansible) but stuck 
>> in .
>> please help me.
>> Regards,
>>  Abdul waheed 
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ansible-proje...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ansible-project/c4d51001-d4b2-43d0-99cd-b8ed5459d12an%40googlegroups.com
>>  
>> 
>> .
>>
> -- 
> Sent from a mobile device - please excuse the brevity, spelling and 
> punctuation.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/b3e4e763-64e8-45e6-b307-1f579a302389n%40googlegroups.com.

Re: [ansible-project] Stripping YAML dashes from output

[Dan Linder]

> Ultimately I'd like to figure out how to add a semicolon after each 
entry, 

This should do that; join with a semicolon not a newline: | join('; ') 

> then separate them into batches of 500 emails each 

Since you have the list already, you could use a `for` loop with an `if` 
test to insert a new-line to get the batches:

This should work assuming your full list of addresses is in `
list_of_addresses`:
{% for email_item in list_of_addresses %}{{ email_item }}{% if loop.index 
is divisibleby 500 %}{{ '\n' -}}{% else %};{% endif %}{% endfor %}
(note, all on one line)

All you need to do is replace the `list_of_addresses` with your YAML list 
of addresses and you should get your list broken into 500 element lines.

You can check your Jinja syntax by using this site: 
https://cryptic-cliffs-32040.herokuapp.com/
On Friday, November 13, 2020 at 11:51:32 AM UTC-6 lift...@gmail.com wrote:

> Perfect!  Exactly what I needed. Ultimately I'd like to figure out how to 
> add a semicolon after each entry, then separate them into batches of 500 
> emails each, but I can worry about that later. This works for now. 
>
> Thanks 
> Harry
>
> On Fri, Nov 13, 2020, 12:44 PM Stefan Hornburg (Racke)  
> wrote:
>
>> On 11/13/20 6:28 PM, harry devine wrote:
>> > So how do I get rid of the u?  What I ultimately wanted was JUST the 
>> email addresses. 
>> > 
>> > Harry 
>>
>> Join the list members into a string: | join('\n')
>>
>> Regards
>>  Racke
>>
>> > 
>> > On Fri, Nov 13, 2020, 12:15 PM Dick Visser > dick@geant.org>> wrote:
>> > 
>> > This is a simple list, which is what you wanted.
>> > 
>> > On Fri, 13 Nov 2020 at 17:28, lift...@gmail.com > lift...@gmail.com> > > > wrote:
>> > >
>> > > So now I'm getting this:
>> > >
>> > > User Emails:
>> > >
>> > > Date generated: 11/13/2020 11:23:32
>> > > [u'us...@example.com ', 
>> u'us...@example.com ']
>> > >
>> > > Harry
>> > >
>> > > On Friday, November 13, 2020 at 11:13:27 AM UTC-5 
>> dick@geant.org  wrote:
>> > >>
>> > >> On Fri, 13 Nov 2020 at 16:48, lift...@gmail.com > lift...@gmail.com> > > > wrote:
>> > >>
>> > >> >> >> >> > - name: Set User Email fact
>> > >> >> >> >> > set_fact:
>> > >> >> >> >> > user_list: "{{ user_find.json.result | 
>> json_query('result[].mail') | list | to_nice_yaml }}"
>> > >>
>> > >> Try adding a pipe expression to the query, and leave out the
>> > >> 'list|to_nice_yaml':
>> > >>
>> > >>
>> > >> set_fact:
>> > >> user_list: "{{ user_find.json.result | 
>> json_query('result[].mail[]') }}"
>> > >>
>> > >>
>> > >>
>> > >> Dick
>> > >
>> > > --
>> > > You received this message because you are subscribed to the 
>> Google Groups "Ansible Project" group.
>> > > To unsubscribe from this group and stop receiving emails from it, 
>> send an email to
>> > ansible-proje...@googlegroups.com > ansible-project%2bunsu...@googlegroups.com>.
>> > > To view this discussion on the web visit
>> > 
>> https://groups.google.com/d/msgid/ansible-project/e2de7a54-ba5d-4677-aaa6-9fd5cc83b522n%40googlegroups.com
>> > <
>> https://groups.google.com/d/msgid/ansible-project/e2de7a54-ba5d-4677-aaa6-9fd5cc83b522n%40googlegroups.com
>> >.
>> > 
>> > 
>> > 
>> > -- 
>> > Dick Visser
>> > Trust & Identity Service Operations Manager
>> > GÉANT
>> > 
>> > -- 
>> > You received this message because you are subscribed to the Google 
>> Groups "Ansible Project" group.
>> > To unsubscribe from this group and stop receiving emails from it, 
>> send an email to
>> > ansible-proje...@googlegroups.com > ansible-project%2bunsu...@googlegroups.com>.
>> > To view this discussion on the web visit
>> > 
>> https://groups.google.com/d/msgid/ansible-project/CAL8fbwMh9wong6MUnMHvZBs5AbpWogzD%3DYjQMLWOxNC0YebDEQ%40mail.gmail.com
>> > <
>> https://groups.google.com/d/msgid/ansible-project/CAL8fbwMh9wong6MUnMHvZBs5AbpWogzD%3DYjQMLWOxNC0YebDEQ%40mail.gmail.com
>> >.
>> > 
>> > -- 
>> > You received this message because you are subscribed to the Google 
>> Groups "Ansible Project" group.
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an email to
>> > ansible-proje...@googlegroups.com > ansible-proje...@googlegroups.com>.
>> > To view this discussion on the web visit
>> > 
>> https://groups.google.com/d/msgid/ansible-project/CALYKJ268J-TnW1RGcahzQGfBeU9dHRRX_giohJ0%3DXuC9gfK-6A%40mail.gmail.com
>> > <
>> https://groups.google.com/d/msgid/ansible-project/CALYKJ268J-TnW1RGcahzQGfBeU9dHRRX_giohJ0%3DXuC9gfK-6A%40mail.gmail.com?utm_medium=email_source=footer
>> >.
>>
>>
>> -- 
>> Ecommerce and Linux consulting + Perl and web application programming.
>> Debian and Sympa administration. Provisioning with Ansible.
>>
>> -- 

Re: [ansible-project] Is it possible to SKIP task programmatically? Using callback module?

[Dan Linder]

What I've done for cases like this is use "when:" blocks on an include to 
pull in (or not) additional tasks.

>From the 'include:' module 

:
```
- name: Include task list in play only if the condition is true
  include: "{{ hostvar }}.yaml"
  static: no
  when: hostvar is defined
```

Or if you don't have them broken out well, you can use Ansible blocks with 
"when:" conditionals as shown in the block documentation 

.

I'm kind of an Ansible purist, so you mention of the callback 
updating/querying a database raised concerns.

On Monday, November 2, 2020 at 9:15:26 AM UTC-6 Luke C wrote:

> Yes, that's true and I am aware of that. However, just like I said I 
> though it would be quick and easy :) 
>
>
> poniedziałek, 2 listopada 2020 o 15:50:09 UTC+1 brae...@gmail.com 
> napisał(a):
>
>> On 11/2/20 3:30 PM, Luke C wrote: 
>> > All right, so I created a callback plugin which saves information 
>> automatically about each executed task to external 
>> > database, to put it concisely it holds of lots of information about 
>> task execution (output, hostname etc) + other needed 
>> > by users.  
>> > For each task unique identifier (not Anisble TASKUUID) is also 
>> generated - it is a combination of few fields.   
>> > That Custom UUID is being saved to that database as well.  
>> > 
>> > The idea is to not execute any tasks in that playbook(s) more than 
>> once, for this purpose Custom UUID should be checked. 
>> > Tasks shouldn't be executed more than once on a server because of 
>> irreversible actions done by those external legacy 
>> > scripts. (no comments on that, can't be changed for now)  
>> > 
>> > With when condition it would be problematic to check Custom_UUID for 
>> each task because it's not and can't be hardcoded 
>> > (can differ). 
>> > So, my first thought was to create or rather enhance my callback plugin 
>> to GET data from DB to check whether this 
>> > particular task has been already executed or not.  
>> > If yes, it should be omitted. 
>> > 
>>
>> I'm not sure if your setup really makes sense ... it has a smell of 
>> overengineering. Ansible is suppose to at least 
>> go through the tasks to ensure that to ascertain that the desired status 
>> has been reached. 
>>
>> Regards 
>> Racke 
>>
>> > 
>> > 
>> > poniedziałek, 2 listopada 2020 o 14:40:14 UTC+1 raub...@gmail.com 
>> napisał(a): 
>> > 
>> > On Mon, Nov 2, 2020 at 8:08 AM Luke C  wrote: 
>> > > 
>> > > Thanks for the reply. 
>> > > Yes I know ... :) 
>> > > 
>> > > The problem is that I want to have dynamic when conditions for huge 
>> amount of tasks. 
>> > > With standard when condition I would have to provide a particular 
>> static condition for each task (which in fact 
>> > are mostly external script executions). 
>> > > I thought it would be just easier and faster with additional callback 
>> module. 
>> > > 
>> > I too am confused. I use when() to include an entire task file 
>> > or just do a task. And I could swear I have whens that looked like 
>> > 
>> > when: 
>> > - variable-I-populated-or-registered-a-few-lines-ago.stdout == 
>> > variable-I-populated-in-an-earlier-task-file-on-my-way-here.stdout 
>> > 
>> > > Kind regards 
>> > > Luke 
>> > > 
>> > > 
>> > > poniedziałek, 2 listopada 2020 o 13:57:43 UTC+1 brae...@gmail.com 
>> napisał(a): 
>> > >> 
>> > >> On 11/2/20 1:49 PM, Luke C wrote: 
>> > >> > Hey guys 
>> > >> > 
>> > >> > I would like to ask whether it's possible to SKIP task 
>> programmatically, using python & callback module? 
>> > >> > 
>> > >> > I've been trying to do this for 3 days and I still don't know how. 
>> > >> > Is there some special variable which I could use in 
>> *v2_runner_on_start *or *v2_playbook_on_task_start* methods? 
>> > >> > 
>> > >> > I don't want to use ansible's when condition, task should be 
>> omitted dynamically basing on the results gathered 
>> > earlier. 
>> > >> > 
>> > >> > e.g.: 
>> > >> > def v2_runner_on_start(self, host, task): 
>> > >> > if self.checksomething(): 
>> > >> > print("Task should be omitted") 
>> > >> >  
>> > >> > else: 
>> > >> > print("Yes, task should be executed, proceed") 
>> > >> > 
>> > >> > 
>> > >> 
>> > >> Do you know that Ansible's when conditions can be very well based on 
>> results gathered earlier? 
>> > >> 
>> > >> Regards 
>> > >> Racke 
>> > >> 
>> > >> > 
>> > >> > 
>> > >> > -- 
>> > >> > You received this message because you are subscribed to the Google 
>> Groups "Ansible Project" group. 
>> > >> > To unsubscribe from this group and stop receiving emails from it, 
>> send an email to 
>> > >> > ansible-proje...@googlegroups.com > ansible-proje...@googlegroups.com>. 
>> > >> > To view this discussion on the web visit 
>> > >> > 
>> 

Re: [ansible-project] Advice on build Immutable VM's ( VMware )

[Dan Linder]

On Tuesday, October 27, 2020 at 2:41:06 AM UTC-5 SP wrote:

> An immutable vm in which servers are never modified after they’re 
> deployed. If something needs to be updated, fixed, or modified in any way, 
> new servers built from a common image with the appropriate changes are 
> provisioned to replace the old ones. After they’re validated, they’re put 
> into use and the old ones are decommissioned. 
>

So the suggestions in the thread still meet your need, you just need to 
look at what you're requesting from a slightly different angle.

>From the Docker/Containers point of view, the "immutable image" is a binary 
container that your infrastructure uses to build the actual running 
"system" that handles your workload.

>From the VM point of view, the "immutable image" *IS* the *template image 
>*itself, 
not the VMs that are deployed.  Once the VMs are running, it would be 
possible to kick off a patch process, or other installation steps.  It 
would be a LOT of work to make the running VM truly "immutable" - and it 
would probably break a lot of services depending on the OS.

And a running container image built from one of the "immutable images" is 
just designed to be hard to login to make changes, but nothing is forcing 
it to not change.  Most any container needs some level of access to create 
temporary files, adjust system settings to join a cluster, etc.

One of your first questions was:
> How can we make Virtual Machine ( Centos/Redhat linux OS ) immutable once 
vm deployed?

Based on this early question, I suspect that part of your confusion is 
where the "immutable" descriptor applies.  It does not apply to the VM that 
is running the workload (e.g. the web site, app server, database, etc).  
Rather, "immutable" describes the container image as it is stored in the 
container repository.  This way if the developers use a build process fully 
contained within a Git repository, and the version (hash) of that process 
is "abcd1234, and it produces a docker/container image with a hash of 
11223344, then you can be pretty safe knowing that as long as the container 
image hash is the same weeks later, the code within that image hasn't 
changed.  And your security team can audit the same build process - 
presumably able to confirm the abcd1234 hash - and they can also verify the 
container hash of 11223344 - then they are also comfortable knowing that no 
one outside your development chain has tampered with it.

If you find a week later that the container hash has changed to 43219876 
(essentially "corrupt" for some reason), anyone can see that the containers 
are different and the sites should be redeployed from the known good 
containers.  Assuming the container repository hasn't been corrupted and 
the initial container image hash is still 11223344, then you can deploy 
from there and get rid of the corrupt one.

The "immutable" comes in because you're never making code/configuration 
changes to the system that is running.  If you do have to make a change 
(e.g. a patch, configuration update, etc) you use your build process to 
produce a new container, store it's hash for future reference, then replace 
each of the old running images with a copy of this new image.

Back to your question...

You can use a lot of tools to build a new VM starting only with an ISO and 
known build process (kickstart files, ansible playbooks, ISO boot strings, 
etc).  Once your process can use the stock (and well known) 
RedHat/CentOS/Ubuntu/Debian ISOs, boot a VM from it, and feed in the boot 
parameters so the system build is fully automated, then you're able to 
produce the "immutable" VM template you were initially asking about.  From 
there, your users can deploy full VMs starting with the latest version of 
the immutable VM template knowing that it is properly secured per your 
group or companies standards.
 

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/2289946e-1b26-47dc-97a3-6c39b7531db0n%40googlegroups.com.

Re: [ansible-project] Advice on build Immutable VM's ( VMware )

[Dan Linder]

I'll second @abhijeet and the use of the "vmware_guest" and 
"vmware_guest_sendkey" modules.  It permits you to completely build your 
templates from a known ISO from your vendor (validated with a SHA256 
checksum), using a kickstart file of your own, and no human interaction.  
And if the checksum, kickstart, and "sendkeys" strings are all part of your 
code commit, then you're getting well into "infrastructure as code".

The "immutable" usually refers to container images brought in from an image 
repository, but the VMware template is a close analog to that.  And if you 
can re-produce the same image (as you could with a base docker image), then 
it's both immutable (at that level) and reproducable.

On Sunday, October 25, 2020 at 11:14:21 PM UTC-5 Abhijeet Kasurde wrote:

> Hi all,
>
> I wrote two articles about creating base images 
>
> 1. Automated installation of Windows Server 2012 r2 using Ansible - 
> https://medium.com/@AbhijeetKasurde/ansible-automating-windows-server-2012-r2-installation-in-vcenter-227577f5917c
> 2. Automated installation of CentOS 7 using Ansible - 
> https://medium.com/@AbhijeetKasurde/automating-centos-7-installation-using-ansible-and-kickstart-483807a3774c
>
> once installation is complete, you can mark the VMs as "Template". These 
> templates or golden images can be used to create new VMs.
>
>
> On Sun, Oct 25, 2020 at 3:06 PM Robert Brockway  
> wrote:
>
>> On Fri, 23 Oct 2020, SP wrote:
>>
>> > Hi,
>> >
>> > Advice on build Immutable VM's ( VMware ) and is that possible using
>> > Ansible ?
>> > What is the best way to do?
>>
>> Sounds like you're referring to a 'golden image'. A golden image is a 
>> static bootable image that is deployed when running up any VMs.  I prefer 
>> this approach over the alternatives.
>>
>> The golden image boots up but doesn't do anything useful.  If you're 
>> using 
>> SSH for Ansible the golden image would have accounts and keys setup so 
>> that the Ansible server can login, became superuser and install what is 
>> needed to make the system useful.
>>
>> Thus each class of host needed is built from a single image.  The golden 
>> image can be periodically updated but some people deploy them in isolated 
>> networks and run security updates before moving them in to live networks.
>>
>> A lot has been written about this online.
>>
>> Rob
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ansible-proje...@googlegroups.com.
>>
> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ansible-project/alpine.DEB.2.21.2010251841050.18666%40mira.opentrend.net
>> .
>>
>>
>
> -- 
> Thanks,
> Abhijeet Kasurde
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/3d561775-0612-4570-8840-4867255064adn%40googlegroups.com.

Re: [ansible-project] Ansible tower issue

[Dan Linder]

I'm not trying to be snarky, but if you are truly "able to do it in the 
ansible cli with same user" then you wouldn't be receiving the error 
"rsync: change_dir \\"/opt/tibco/image\\" failed: Permission denied (13)"

If this is as urgent as your messages are implying, you need to try some of 
the suggestions that were listed above.

If this playbook is working through Tower works on a couple of other 
systems, but not this specific system, then you need to provide information 
about both systems, especially the "/opt/tibco/image" directory.  For 
instance, what user and group own the "image" directory?  Is the 
"/opt/tibco/image" actually a directory?  How do those compare to the 
systems that work?

You've given us nothing additional to work with on this error aside from 
the generic error message.  (And Googling for the error message - 'rsync: 
change_dir \"/opt/tibco/image\" failed: Permission denied (13)' - shows 
that most any time this occurs, it is due to invalid permissions to access 
that directory.)

And as "dick@geant.org" mentioned, if this is urgent and critical to 
your business, you should have a support contract with Red Hat for 
business-critical tools such as Ansible Tower.
On Saturday, October 10, 2020 at 8:16:35 AM UTC-5 shaikabdu...@gmail.com 
wrote:

> But i am able to do it in the ansible cli with same user, but facing issue 
> in the tower.
>
> Can u please help where i have missed.
>
> On Sat, Oct 10, 2020 at 5:07 PM Nick Schendel  wrote:
>
>> Looks like your issue is a permissions problem:
>>
>> change_dir \\"/opt/tibco/image\\" failed: Permission denied
>>
>>
>> I'd check permissions on that directory.  Seems like it's probably the 
>> destination directory at first glance.  Make sure the user that ansible is 
>> connecting as has permissions to write there.
>>
>> On Fri, Oct 9, 2020, 10:31 PM Abdulrazzaq shaik  
>> wrote:
>>
>>> Hi all,
>>>
>>> Kindly help on the below issue,
>>>
>>> I was trying to 2gb file from ansible controller to ansible node where 
>>> am using copy / synchronize module and my all playbooks are working fine in 
>>> the ansible cli, when it come to ansible tower am getting below error.
>>>
>>> Kindly help what could be the issue.
>>>
>>> *Error:*
>>> fatal: [ p01lap095.corp.tet.tst   ]: FAILED! => {
>>> "changed": false, 
>>> "cmd": "sshpass -d8 /usr/bin/rsync --delay-updates -F --compress 
>>> --archive --rsh=/usr/bin/ssh -S none -o StrictHostKeyChecking=no -o 
>>> UserKnownHostsFile=/dev/null --out-format=<>%i %n%L 
>>> /opt/tibco/image/binaries.tar tibco@ p01lap095.corp.tet.tst :/opt/tibco", 
>>> "invocation": {
>>> "module_args": {
>>> "_local_rsync_password": 
>>> "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", 
>>> "_local_rsync_path": "rsync", 
>>> "_substitute_controller": false, 
>>> "archive": true, 
>>> "checksum": false, 
>>> "compress": true, 
>>> "copy_links": false, 
>>> "delete": false, 
>>> "dest": "tibco@ p01lap095.corp.tet.tst  :/opt/tibco", 
>>> "dest_port": null, 
>>> "dirs": false, 
>>> "existing_only": false, 
>>> "group": null, 
>>> "link_dest": null, 
>>> "links": null, 
>>> "mode": "push", 
>>> "owner": null, 
>>> "partial": false, 
>>> "perms": null, 
>>> "private_key": null, 
>>> "recursive": null, 
>>> "rsync_opts": [], 
>>> "rsync_path": null, 
>>> "rsync_timeout": 0, 
>>> "set_remote_user": true, 
>>> "src": "/opt/tibco/image/binaries.tar", 
>>> "ssh_args": null, 
>>> "times": null, 
>>> "verify_host": false
>>> }
>>> }, 
>>> "msg": "Warning: Permanently added 
>>> 'p01lap095.corp.tet.tst,xxx.xxx.xx.xxx' (ECDSA) to the list of known 
>>> hosts.\\r\\n\\n*
>>>   
>>>  THIS SYSTEM AND ALL RELATED INFORMATION ACCESSED THEREBY IS THE PROPERTY  
>>>   
>>> *\\n\\n\\nrsync:
>>>  
>>> change_dir \\"/opt/tibco/image\\" failed: Permission denied (13)\\nrsync 
>>> error: some files/attrs were not transferred (see previous errors) (code 
>>> 23) at main.c(1179) [sender=3.1.2]\\n", 
>>> "rc": 23
>>> }
>>>
>>> -- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "Ansible Project" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to ansible-proje...@googlegroups.com.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/ansible-project/5f6db198-4094-4a68-a965-3ed8a5ec6fa9n%40googlegroups.com
>>>  
>>> 

Re: [ansible-project] deprecation of DEFAULT_HASH_BEHAVIOUR option

[Dan Linder]

I'll second ND that the hash_behavior option of "merge" is more usable in 
my situation - I have hashes of information that get built up in the 
playbook (one piece sets defaults for a location (i.e. "North America" vs 
"Europe" vs "Asia"), then a later part sets defaults for different 
datacenters, and later a specific subnet might over-ride other settings.  
This way I could have all my European systems default to using settings 
that applied to the entire zone, but my servers in different datacenters 
would get settings specific there (i.e. a Git or NTP server, etc), and 
individual subnets might have different NTP servers but still use the 
datacenters' Git server.

Merging hashes was a big win for this project.  Sadly, we don't have a 
"single source of truth", so we had to use multiple Ansible variable files 
to build up our "truth" and merging them with each other.  Our inventories 
were not the source of truth with all the information needed.  Without an 
external CMDB that could take into account the location, datacenter, and 
subnet (to name a few constraints), getting the data consistent would have 
been impossible with Ansible.

I'm not a programmer to the level that I can determine a better way to 
address this in Ansible, but I'm hoping someone will work through a way to 
merge them together and the hash merge behavior can be exposed again.

On Sunday, September 27, 2020 at 9:56:00 AM UTC-5 dick@geant.org wrote:

>
>
> On Sun, 27 Sep 2020 at 13:44, nd  wrote:
>
>> Hello,
>>
>> is there any documentation on why this was deprecated?
>
>
> According to the docs:
>
> This feature is fragile and not portable, leading to continual confusion 
> and misuse
>
>
>
>
>
> -- 
> Sent from a mobile device - please excuse the brevity, spelling and 
> punctuation.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/b618283e-ef76-44c6-be23-d2e4d7f346a8n%40googlegroups.com.

Re: [ansible-project] unistall windows server

[Dan Linder]

> Thanks, please tell me about delete vm and remove vm from dns
and
> And also about remove from ad object

These are not Ansible specific topics, these are tasks that you need to
review other sources for (Microsoft.com, Google searches, co-workers, etc)
and come up with the check-list of the specific steps _your_environment_
needs to have done.  (For instance, there are 100's of "DNS" servers that
could be in use - there is not a single answer for all of them.)

You need to perform additional research.  Once you can perform these tasks
manually yourself and have those steps written down as a reference, review
the "win_" Ansible modules to look for ones that apply.  Once you're
stuck there, come back and we can help you with individual tasks from your
list that you are stuck with.

Sorry, but your questions aren't Ansible related at this point.

On Wed, Sep 23, 2020 at 12:06 AM PRAVEEN KATTULAPALLI <
159y1a0...@ksrmce.ac.in> wrote:

> And also about remove from ad object
>
> On Wed 23 Sep, 2020, 10:34 AM PRAVEEN KATTULAPALLI, <
> 159y1a0...@ksrmce.ac.in> wrote:
>
>> Thanks, please tell me about delete vm and remove vm from dns
>>
>> On Wed 23 Sep, 2020, 9:32 AM Gajendra Gaikwad, <
>> gajendra.y.gaik...@gmail.com> wrote:
>>
>>> Yes as Dan said, make a list what's is the current process
>>>
>>> For example
>>>
>>> 1. Playbook 1 - keep server in qurantain mode for 30 days (vm machine)
>>>   - remove or keep server in maintenance mode in monitoring
>>>   -  take full backup
>>>   -  stop backup job
>>>   - shutdown vm
>>>   - rename vm with current date
>>> 2. After qurantain
>>>   - remove from dns
>>>   - remove ad object
>>>   - remove from backup job
>>>   - remove from monitoring
>>>   - delete vm from VMware
>>>   -  update free ip list
>>>   - update cmdb
>>>
>>>
>>> On Wed, 23 Sep 2020, 01:08 Dan Linder,  wrote:
>>>
>>>> When I get to a point where I'm asking "How do I do X in Ansible", my
>>>> first step is to make a checklist of what I would do if I was doing it
>>>> manually.
>>>>
>>>> Assuming when you ask "Windows server uninstallation" you mean to
>>>> remove the host from AD, remove it from DNS, delete files, etc., then start
>>>> decomposing each of those big steps into individual Ansible plays.
>>>>
>>>> On Tuesday, September 22, 2020 at 2:16:32 PM UTC-5
>>>> gajendra@gmail.com wrote:
>>>>
>>>>> Do you mean decommission the windows machine from the infra??
>>>>>
>>>>> On Tue, 22 Sep 2020, 20:28 PRAVEEN KATTULAPALLI, <
>>>>> 159y1...@ksrmce.ac.in> wrote:
>>>>>
>>>>>> Hii all,
>>>>>> could anyone share ansible script or basic format of script for
>>>>>> windows server uninstallation. i couldn't find any related scripts or
>>>>>> modules in official docs.
>>>>>>
>>>>>> --
>>>>>>
>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "Ansible Project" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>> send an email to ansible-proje...@googlegroups.com.
>>>>>> To view this discussion on the web visit
>>>>>> https://groups.google.com/d/msgid/ansible-project/3a6f5054-0a76-4b20-96b0-9bcb1d73743an%40googlegroups.com
>>>>>> <https://groups.google.com/d/msgid/ansible-project/3a6f5054-0a76-4b20-96b0-9bcb1d73743an%40googlegroups.com?utm_medium=email_source=footer>
>>>>>> .
>>>>>>
>>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Ansible Project" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to ansible-project+unsubscr...@googlegroups.com.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/ansible-project/fa1828e7-3ce0-4f0d-9050-9eecae5f2e5bn%40googlegroups.com
>>>> <https://groups.google.com/d/msgid/ansible-project/fa1828e7-3ce0-4f0d-9050-9eecae5f2e5bn%40googlegroups.com?utm_medium=email_source=footer>
>>>> .
>>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Ansible Project" group

Re: [ansible-project] unistall windows server

[Dan Linder]

When I get to a point where I'm asking "How do I do X in Ansible", my first 
step is to make a checklist of what I would do if I was doing it manually.

Assuming when you ask "Windows server uninstallation" you mean to remove 
the host from AD, remove it from DNS, delete files, etc., then start 
decomposing each of those big steps into individual Ansible plays.

On Tuesday, September 22, 2020 at 2:16:32 PM UTC-5 gajendra@gmail.com 
wrote:

> Do you mean decommission the windows machine from the infra??
>
> On Tue, 22 Sep 2020, 20:28 PRAVEEN KATTULAPALLI, <159y1...@ksrmce.ac.in> 
> wrote:
>
>> Hii all,
>> could anyone share ansible script or basic format of script for windows 
>> server uninstallation. i couldn't find any related scripts or modules in 
>> official docs.
>>
>> -- 
>>
> You received this message because you are subscribed to the Google Groups 
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ansible-proje...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ansible-project/3a6f5054-0a76-4b20-96b0-9bcb1d73743an%40googlegroups.com
>>  
>> 
>> .
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/fa1828e7-3ce0-4f0d-9050-9eecae5f2e5bn%40googlegroups.com.

Re: [ansible-project] Re: remove mysql

[Dan Linder]

The actions that those two tasks perform look to be the same, but you 
should update the "name:" field to better reflect that the job is 
removing/un-installing those packages.

On Thursday, July 16, 2020 at 8:58:44 AM UTC-5 tdub...@gmail.com wrote:

> control server is ubuntu 19.10
> client is 20.04
>
> ok working now
>
>
> are these 2 pb doing same thing?
>
> ---
> - hosts: all
>   become: true
>   vars_files:
> - vars/default.yml
>
>   tasks:
> - name: Install prerequisites
>   apt:
>name:
> - apache2   
> - mysql-server
> - mysql-client
> - python3-pymysql
> - php
> - php-mysql
> - libapache2-mod-php
>update_cache: yes 
>state: absent 
>autoremove: yes 
>purge: yes
>
>
>
> -
>
>
> ---
> - hosts: all
>   become: true
>   vars_files:
> - vars/default.yml
>
>   tasks:
> - name: Install prerequisites
>   apt: name={{ item }} state=absent
>
>   loop: [ 'aptitude' ]
>
>   #Apache Configuration
> - name: Install LAMP Packages
>   apt: name={{ item }} update_cache=yes state=absent autoremove=yes 
> purge=yes
>
>   loop: [ 'apache2', 'mysql-server', 'python3-pymysql', 'php', 
> 'php-mysql', 'libapache2-mod-php' ]
> On Wed, Jul 15, 2020 at 12:34 PM Stefan Hornburg (Racke)  
> wrote:
>
>> On 7/15/20 6:55 PM, Tony Wong wrote:
>> > this was the original install and I am just trying to reverse the 
>> installs
>> > 
>> > 
>>
>> What is the distribution and the release of the target server(s)?
>>
>> Regards
>>   Racke
>>
>> > ---
>> > - hosts: all
>> >   become: true
>> >   vars_files:
>> > - vars/default.yml
>> > tasks:
>> > - name: Install prerequisites
>> >   apt: name={{ item }} update_cache=yes state=absent 
>> force_apt_get=yes
>> >   loop: [ 'aptitude' ]
>> > 
>> >   #Apache Configuration
>> > - name: Install LAMP Packages
>> >   apt: name={{ item }} update_cache=yes state=absent
>> >   loop: [ 'apache2', 'mysql-server', 'python3-pymysql', 'php', 
>> 'php-mysql', 'libapache2-mod-php' ]
>> > 
>> > - name: Create document root
>> >   file:
>> > path: "/var/www/{{ http_host }}"
>> > state: directory
>> > owner: "{{ app_user }}"
>> > mode: '0755'
>> > 
>> > - name: Set up Apache virtualhost
>> >   template:
>> > src: "files/apache.conf.j2"
>> > dest: "/etc/apache2/sites-available/{{ http_conf }}"
>> >   notify: Reload Apache
>> > 
>> > - name: Enable new site
>> >   shell: /usr/sbin/a2ensite {{ http_conf }}
>> >   notify: Reload Apache
>> > 
>> > - name: Disable default Apache site
>> >   shell: /usr/sbin/a2dissite 000-default.conf
>> >   when: disable_default
>> >   notify: Reload Apache
>> > 
>> >   # MySQL Configuration
>> > - name: Sets the root password
>> >   mysql_user:
>> > name: root
>> >  
>> > 
>> > -- 
>> > You received this message because you are subscribed to the Google 
>> Groups "Ansible Project" group.
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an email to
>> > ansible-proje...@googlegroups.com > ansible-proje...@googlegroups.com>.
>> > To view this discussion on the web visit
>> > 
>> https://groups.google.com/d/msgid/ansible-project/CALmkhkoJqa11F8P6Y2SBKr94E8PhgNpAqR_GA8AW%2Bch5NH0QoQ%40mail.gmail.com
>> > <
>> https://groups.google.com/d/msgid/ansible-project/CALmkhkoJqa11F8P6Y2SBKr94E8PhgNpAqR_GA8AW%2Bch5NH0QoQ%40mail.gmail.com?utm_medium=email_source=footer
>> >.
>>
>>
>> -- 
>> Ecommerce and Linux consulting + Perl and web application programming.
>> Debian and Sympa administration. Provisioning with Ansible.
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Ansible Project" group.
>>
> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ansible-proje...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ansible-project/ed3037a6-ee6f-7e09-af51-740cd794ae27%40linuxia.de
>> .
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/72b8b5d3-4c49-46a7-8055-8efabec5600en%40googlegroups.com.

[ansible-project] Re: remove mysql

[Dan Linder]

> I tried this pb but its not uninstalling 

Can you be more specific?  What version of Ansible are you using, what 
version of Debian/Ubuntu is the server you're working on?

What is the output of this command when you run it on the machine you're 
wanting to remove the packages from:

 apt list | egrep 
'^mysql-server/|^mysql-client/|^python3-pymysql/|^php/|^libapache2-mod-php/'

Can you write a playbook with just the single task and run it with "-vvv" 
and paste the output in a response here?

The indenting in your previous example is slightly askew, and it is missing 
the "state: absent" parameter, but I'll make the assumption that is just a 
copy-and-paste error. 
On Wednesday, July 15, 2020 at 12:21:47 PM UTC-5 tdub...@gmail.com wrote:

> I tried this pb but its not uninstalling
>
>
> --
> - hosts: all
>   become: true
>   vars_files:
> - vars/default.yml
>
>   tasks:
> - name: remove
>
>   apt:
>name:
> - mysql-server
> - mysql-client
> - python3-pymysql
> - php
> - php-mysql
> - libapache2-mod-php
>
> On Wed, Jul 15, 2020 at 9:55 AM Tony Wong  wrote:
>
>> this was the original install and I am just trying to reverse the installs
>>>
>>
>> ---
>> - hosts: all
>>   become: true
>>   vars_files:
>> - vars/default.yml
>> tasks:
>> - name: Install prerequisites
>>   apt: name={{ item }} update_cache=yes state=absent force_apt_get=yes
>>   loop: [ 'aptitude' ]
>>
>>   #Apache Configuration
>> - name: Install LAMP Packages
>>   apt: name={{ item }} update_cache=yes state=absent
>>   loop: [ 'apache2', 'mysql-server', 'python3-pymysql', 'php', 
>> 'php-mysql', 'libapache2-mod-php' ]
>>
>> - name: Create document root
>>   file:
>> path: "/var/www/{{ http_host }}"
>> state: directory
>> owner: "{{ app_user }}"
>> mode: '0755'
>>
>> - name: Set up Apache virtualhost
>>   template:
>> src: "files/apache.conf.j2"
>> dest: "/etc/apache2/sites-available/{{ http_conf }}"
>>   notify: Reload Apache
>>
>> - name: Enable new site
>>   shell: /usr/sbin/a2ensite {{ http_conf }}
>>   notify: Reload Apache
>>
>> - name: Disable default Apache site
>>   shell: /usr/sbin/a2dissite 000-default.conf
>>   when: disable_default
>>   notify: Reload Apache
>>
>>   # MySQL Configuration
>> - name: Sets the root password
>>   mysql_user:
>> name: root
>>  
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/22025670-024c-4721-a6c5-d2103962f99dn%40googlegroups.com.

Re: [ansible-project] run_once not working to register value of curl

[Dan Linder]

When you say "variable is not available between plays in the same 
playbook", that is a different question than the one originally asked in 
this thread.

I'd suggest you post a very minimal playbook showing the error so we can 
reproduce it and assist you further with that problem.

You wrote "I think I did not understand what you want to debug."

The playbook example was trying to "baby step" adding a couple more tasks 
in the play, and introduce a few additional variables.  I might have 
confused you by using the "debug:" module.

On Wednesday, April 15, 2020 at 2:43:51 AM UTC-5, Nicola Contu wrote:
>
> I am sorry Dan,
> I think I did not understand what you want to debug.
> This playbook does not work and I can't make it working.
>
> Sorry about that.
>
> Btw, the issue is that the variable is not available between plays in the 
> same playbook. I just want to know how to pass those variable to the next 
> play because it does not seem to be automatic.
>
> Thanks
>
> Il giorno ven 10 apr 2020 alle ore 23:41 Dan Linder  > ha scritto:
>
>> So, from that output we know that the 'PHP_SITE_RESPONSE' variable is 
>> being set and we have the variable structure to look at.
>>
>> Your error from a few messages back just showed:
>> {"msg": "The task includes an option with an undefined variable. The 
>> error was: 'PHP_SITE_RESPONSE' is undefined
>>
>> I assume that was from one of these tasks:
>> ```
>> - name: Write header
>>   run_once: true
>>   lineinfile: dest=/home/ncontu/test.txt create=yes line="LATEST 
>> VERSION PHP {{PHP_SITE_RESPONSE.json.version}} HTTPD 
>> {{HTTPD_SITE_VERSION.stdout_lines[0]VERSION.stdout_lines[0]}}"
>>   delegate_to: 127.0.0.1
>>
>> - name: Write to local disk
>>   lineinfile: dest=/home/ncontu/test.txt insertafter=EOF create=yes 
>> line="{{ ansible_fqdn }} {{CURRENT_PHP_VERSION.stdout_lines[0]}} 
>> {{CURRENT_HTTPD_VERSI}} {{CURRENT_GIT_VERSION.stdout_lines[0]}}"
>>   delegate_to: 127.0.0.1
>>   when: CURRENT_PHP_VERSION.stdout_lines[0] != 
>> PHP_SITE_RESPONSE.json.version or CURRENT_HTTPD_VERSION.stdout_lines[0] != 
>> HTTPD_SITE_VERSION.stdout_lines[VERSION.stdout_lines[0] != 
>> GIT_SITE_VERSION.stdout_lines[0]
>> ```
>>
>> As a next step I'd add each of those tasks one at a time into the small 
>> playbook you just wrote/tested but change the tasks to further "debug" 
>> calls:
>>
>> ```
>> - hosts: "{{ variable_host }}"
>>   serial: 1
>>   tasks:
>> -
>>   name: "Get PHP version from site"
>>   register: PHP_SITE_RESPONSE
>>   uri:
>> body_format: json
>> method: GET
>> return_content: true
>> url: "https://www.php.net/releases/?json=7.2;
>>   run_once: true
>>   delegate_to: 127.0.0.1
>>
>> -
>>   name: "Show PHP version from site"
>>   debug:
>> var: PHP_SITE_RESPONSE
>>
>> - name: DEBUG Write header
>>   run_once: true
>>   debug: |
>> lineinfile: dest=/home/ncontu/test.txt create=yes line="LATEST 
>> VERSION PHP {{PHP_SITE_RESPONSE.json.version}} HTTPD 
>> {{HTTPD_SITE_VERSION.stdout_lines[0]VERSION.stdout_lines[0]}}"
>>   delegate_to: 127.0.0.1
>> ```
>>
>> On Friday, April 10, 2020 at 1:06:08 PM UTC-5, Nicola Contu wrote:
>>>
>>> [ncontu@cmd-config cmd]$ ansible-playbook playbooks/test.yml -e 
>>> "variable_host=127.0.0.1"
>>> [DEPRECATION WARNING]: The TRANSFORM_INVALID_GROUP_CHARS settings is set 
>>> to allow bad characters in group names by default, this will change, but 
>>> still be user configurable on
>>>  deprecation. This feature will be removed in version 2.10. Deprecation 
>>> warnings can be disabled by setting deprecation_warnings=False in 
>>> ansible.cfg.
>>>  [WARNING]: Invalid characters were found in group names but not 
>>> replaced, use - to see details
>>>
>>>
>>> PLAY [127.0.0.1] 
>>> ***
>>>
>>> TASK [Gathering Facts] 
>>> *
>>> ok: [127.0.0.1]
>>>
>>> TASK [Get PHP versi

Re: [ansible-project] run_once not working to register value of curl

[Dan Linder]

;application/json",
> "cookies": {
> "COUNTRY": "NA%2C208.77.65.47"
> },
> "cookies_string": "COUNTRY=NA%2C208.77.65.47",
> "date": "Fri, 10 Apr 2020 18:05:04 GMT",
> "elapsed": 0,
> "etag": "\"myra-2a0383c2\"",
> "expires": "Fri, 10 Apr 2020 18:05:04 GMT",
> "failed": false,
> "json": {
> "announcement": true,
> "date": "19 Mar 2020",
> "source": [
> {
> "date": "19 Mar 2020",
> "filename": "php-7.2.29.tar.bz2",
> "name": "PHP 7.2.29 (tar.bz2)",
> "sha256": 
> "eaa1f5503f2bf0c8569ec4ae80ffd8ca8cbc260f01c2503dd0e83dfc9cf0b923"
> },
> {
> "date": "19 Mar 2020",
> "filename": "php-7.2.29.tar.gz",
> "name": "PHP 7.2.29 (tar.gz)",
> "sha256": 
> "ea5c96309394a03a38828cc182058be0c09dde1f00f35809622c2d05c50ee890"
> },
> {
> "date": "19 Mar 2020",
> "filename": "php-7.2.29.tar.xz",
> "name": "PHP 7.2.29 (tar.xz)",
> "sha256": 
> "b117de74136bf4b439d663be9cf0c8e06a260c1f340f6b75ccadb609153a7fe8"
> }
> ],
> "tags": [
> "security"
> ],
> "version": "7.2.29"
> },
> "msg": "OK (unknown bytes)",
> "redirected": false,
> "server": "myracloud",
> "set_cookie": "COUNTRY=NA%2C208.77.65.47; expires=Fri, 17-Apr-2020 
> 18:05:04 GMT; Max-Age=604800; path=/; domain=.php.net",
> "status": 200,
> "transfer_encoding": "chunked",
> "url": "https://www.php.net/releases/?json=7.2;,
> "x_frame_options": "SAMEORIGIN"
> }
> }
>
> PLAY RECAP 
> *
> 127.0.0.1  : ok=3changed=0unreachable=0   
>  failed=0skipped=0rescued=0ignored=0
>
> Il giorno ven 10 apr 2020 alle ore 19:38 Dan Linder  > ha scritto:
>
>> Hi Nicola,
>>
>> I'd take a bit step back and reduce your playbook to just a couple of 
>> tasks:
>>
>> ```
>> - hosts: "{{ variable_host }}"
>>   serial: 1
>>   tasks:
>> -
>>   name: "Get PHP version from site"
>>   register: PHP_SITE_RESPONSE
>>   uri:
>> body_format: json
>> method: GET
>> return_content: true
>> url: "https://www.php.net/releases/?json=7.2;
>>   run_once: true
>>   delegate_to: 127.0.0.1
>>
>> -
>>   name: "Show PHP version from site"
>>   debug:
>> var: PHP_SITE_RESPONSE
>> ```
>>
>> What output does that produce?
>>
>> DanL
>>
>> On Friday, April 10, 2020 at 8:48:06 AM UTC-5, Nicola Contu wrote:
>>>
>>> Hello,
>>> I am trying to get the latest version of few softwares and comparing it 
>>> with a list of hosts with the current installed.
>>>
>>> Calling the github API is creating issues with the number of call due to 
>>> the the list of hosts that is quite big.
>>> So I would like to register the latest versions in a variable and then 
>>> use it to compare for each host.
>>>
>>>  I tried a lot of things, like run_once, changed_when but it seems like 
>>> it is not working.
>>>
>>> Here is the playbook.
>>>
>>> - hosts: "{{ variable_host }}"
>>>   serial: 1
>>>   tasks:
>>> -
>>>   name: "Get PHP version from site"
>>>   register: PHP_SITE_RESPONSE
>>>   uri:
>>> body_format: json
>>> method: GET
>>> return_content: true
>>>

Re: [ansible-project] run_once not working to register value of curl

[Dan Linder]

Hi Nicola,

I'd take a bit step back and reduce your playbook to just a couple of tasks:

```
- hosts: "{{ variable_host }}"
  serial: 1
  tasks:
-
  name: "Get PHP version from site"
  register: PHP_SITE_RESPONSE
  uri:
body_format: json
method: GET
return_content: true
url: "https://www.php.net/releases/?json=7.2;
  run_once: true
  delegate_to: 127.0.0.1

-
  name: "Show PHP version from site"
  debug:
var: PHP_SITE_RESPONSE
```

What output does that produce?

DanL

On Friday, April 10, 2020 at 8:48:06 AM UTC-5, Nicola Contu wrote:
>
> Hello,
> I am trying to get the latest version of few softwares and comparing it 
> with a list of hosts with the current installed.
>
> Calling the github API is creating issues with the number of call due to 
> the the list of hosts that is quite big.
> So I would like to register the latest versions in a variable and then use 
> it to compare for each host.
>
>  I tried a lot of things, like run_once, changed_when but it seems like it 
> is not working.
>
> Here is the playbook.
>
> - hosts: "{{ variable_host }}"
>   serial: 1
>   tasks:
> -
>   name: "Get PHP version from site"
>   register: PHP_SITE_RESPONSE
>   uri:
> body_format: json
> method: GET
> return_content: true
> url: "https://www.php.net/releases/?json=7.2;
>   run_once: true
>   delegate_to: 127.0.0.1
>
> -
>   name: "Get APACHE version from site"
>   shell: "curl -s '
> https://api.github.com/repos/apache/httpd/tags?per_page=100' | jq -r '.[] 
> | .name' | sort -V | grep ^2.4 | tail -n 1"
>   run_once: true
>   register: HTTPD_SITE_VERSION
>   delegate_to: 127.0.0.1
>
> -
>   name: "Get GIT version from site"
>   shell: "curl -s '
> https://api.github.com/repos/git/git/tags?per_page=100' | jq -r '.[] | 
> .name' | sort -V | grep ^v2 | tail -n 1 | cut -f1 -d'-' | tail -
>   run_once: true
>   register: GIT_SITE_VERSION
>   delegate_to: 127.0.0.1
>
> -
>   name: "Get current version PHP"
>   register: CURRENT_PHP_VERSION
>   shell: "/usr/local/php/bin/php --version | head -c 10 | tail -c 6"
>
> -
>   name: "Get current version PHP"
>   register: CURRENT_HTTPD_VERSION
>   shell: "httpd -v | grep 2.4 | tail -n 1 | tail -c 14 | head -c 6"
> -
>   name: "Get current version PHP"
>   register: CURRENT_GIT_VERSION
>   shell: "git --version | tail -c 7"
>
> - name: Write header
>   run_once: true
>   lineinfile: dest=/home/ncontu/test.txt create=yes line="LATEST 
> VERSION PHP {{PHP_SITE_RESPONSE.json.version}} HTTPD 
> {{HTTPD_SITE_VERSION.stdout_lines[0]VERSION.stdout_lines[0]}}"
>   delegate_to: 127.0.0.1
>
> - name: Write to local disk
>   lineinfile: dest=/home/ncontu/test.txt insertafter=EOF create=yes 
> line="{{ ansible_fqdn }} {{CURRENT_PHP_VERSION.stdout_lines[0]}} 
> {{CURRENT_HTTPD_VERSI}} {{CURRENT_GIT_VERSION.stdout_lines[0]}}"
>   delegate_to: 127.0.0.1
>   when: CURRENT_PHP_VERSION.stdout_lines[0] != 
> PHP_SITE_RESPONSE.json.version or CURRENT_HTTPD_VERSION.stdout_lines[0] != 
> HTTPD_SITE_VERSION.stdout_lines[VERSION.stdout_lines[0] != 
> GIT_SITE_VERSION.stdout_lines[0]
>
> - name: Cat produced file
>   command: /bin/cat /home/ncontu/test.txt
>   register: details
>   delegate_to: 127.0.0.1
>   run_once: true
>   when: inventory_hostname == ansible_play_hosts_all[-1]
>
> - name: Base64 produced file
>   command: base64 /home/ncontu/test.txt
>   register: basefile
>   delegate_to: 127.0.0.1
>   run_once: true
>   when: inventory_hostname == ansible_play_hosts_all[-1]
>
>
> Any help would be much appreciated.
>
> Thanks
>


On Friday, April 10, 2020 at 11:01:23 AM UTC-5, Nicola Contu wrote:
>
> Hey Dick,
> I tried that but the subsequent play is not able to recognise those 
> variables.
>
>
> *{"msg": "The task includes an option with an undefined variable. The 
> error was: 'PHP_SITE_RESPONSE' is undefined*
>
>
> I changed the playbook like this :
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *- hosts: 127.0.0.1  tasks:- name: "Get PHP version from site"  
> register: PHP_SITE_RESPONSE  uri:body_format: json
> method: GETreturn_content: trueurl: 
> "https://www.php.net/releases/?json=7.2 
> "- name: "Get APACHE 
> version from site"  shell: "curl -s 
> 'https://api.github.com/repos/apache/httpd/tags?per_page=100 
> ' | jq -r '.[] 
> | .name' | sort -V | grep ^2.4 | tail -n 1"  register: 
> HTTPD_SITE_VERSION- name: "Get GIT version from site"  shell: "curl 
> -s 'https://api.github.com/repos/git/git/tags?per_page=100 
> ' | jq -r 

Re: [ansible-project] Unable to get correct disk space utilized percentage using Ansible API

[Dan Linder]

I'd suggest putting a debug showing you the three numbers Ansible is using 
for item.size_total and item.size_available.  As @klingac mentioned, it 
could be that the values that ""df -k" reports or uses in it's computation 
aren't the exact same ones that Ansible uses.

For instance, using the numbers shown in the sample "df -k" output - 
(51466720 -  40038956) / 51466720 - I calculate "22.2% not the 19% that 
"df" reports.

On Wednesday, March 25, 2020 at 11:54:07 AM UTC-5, Shifa Shaikh wrote:
>
> @Kia Hi, 
>
> As suggested I tried 
>
> item.size_total instead of item.size_available
>
>  "{{ ansible_host }}_{{ item.mount }}: {{ (100 * ((item.size_total - 
> item.size_available) / item.size_total)) | round(1, 'common') }}" 
>
>
>
> but it still gives me 22.2 % value instead of 19%
>
> Can you please let me know what's wrong and why the difference?
>
> On Wednesday, March 25, 2020 at 10:10:24 PM UTC+5:30, Kai Stian Olstad 
> wrote:
>>
>> On Wed, Mar 25, 2020 at 07:15:51AM -0700, Shifa Shaikh wrote: 
>> > 
>> > "{{ ansible_host }}_{{ item.mount }}: {{ (100 * ((item.size_total - 
>> item.size_available) / item.size_available)) | round(1, 'common') }}" 
>>
>> That is not how you calculate percentage, you need to divide on 
>> item.size_total 
>> and not item.size_available. 
>>
>> -- 
>> Kai Stian Olstad 
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/a30b45e0-4ef4-4ec3-b854-bc7f290dc627%40googlegroups.com.

Re: [ansible-project] Ansible password_hash issue

[Dan Linder]

What is the error and what is sending the error?  (i.e. is the error from 
"psql" or from Ansible itself?)

Can you run the playbook with "-vvv" and paste in the errors the "Reset 
Admin pw" step produces.

On Tuesday, March 10, 2020 at 11:12:17 AM UTC-5, Bala Mutyam wrote:
>
> Hi,
>
> Thanks for the reply.  By hard coding the hash working fine. 
>
> I'm trying to workout something like this but this is giving me an error.
>
>
> - name: Reset Admin pw
>   become: yes
>   become_user: postgres
>   command: psql -c "update users set crypted_password = '{{ admin_password | 
> password_hash('bcrypt', salt=None) }}' where login = 'admin'" sonarqube
>   tags: query
>
>
>
> On Tuesday, March 10, 2020 at 2:13:28 PM UTC, Dick Visser wrote:
>>
>> You manual command has more arguments than the one in your task. 
>> Try making that consistent. 
>>
>> If that doesn't work, try hardcoding the hash in your task to see if 
>> that works at all. 
>>
>>
>>
>>
>> On Tue, 10 Mar 2020 at 13:21, Bala Mutyam  wrote: 
>> > 
>> > Hi Everyone, 
>> > 
>> > I'm trying to create a task for below command but it's not working, can 
>> you help me how to make it work please? 
>> > 
>> > Command: 
>> > 
>> > update users set crypted_password = 
>> '$2a$12$uCkkXmhW5ThVK8mpBvnXOOJRLd64LJeHTeCkSuB3lfaR2N0AYBaSi', salt=null, 
>> hash_method='BCRYPT' where login = 'admin' 
>> > 
>> > - name: Reset Admin pw 
>> >   become: yes 
>> >   become_user: postgres 
>> >   command: psql -c "update users set crypted_password = '{{ 
>> admin_password | password_hash('bcrypt') }}' where login = 'admin'" 
>> sonarqube 
>> >   tags: query 
>> > 
>> > 
>> > I'm successfully running the task but not able to login with the 
>> admin_password. 
>> > 
>> > -- 
>> > You received this message because you are subscribed to the Google 
>> Groups "Ansible Project" group. 
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an email to ansible...@googlegroups.com. 
>> > To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ansible-project/1d3e8db8-01b9-4363-a3aa-67e077f35b62%40googlegroups.com.
>>  
>>
>>
>>
>>
>> -- 
>> Dick Visser 
>> Trust & Identity Service Operations Manager 
>> GÉANT 
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/5ab6d54b-fd3d-4692-8430-5743aff3a327%40googlegroups.com.

[ansible-project] Re: Windows updates found but not installed

[Dan Linder]

I'd suggest removing the category_names and server_selection fields and see 
if the missing patches are applied.  I don't do Windows patching, but it 
might be that the "sql server sp2 gdr" is in a different category or server 
selection.

The "category_names" looks like it is a dynamic list that is dependent on 
the Windows system being patched.  The documentation for the "win_updates" 
module states that the possible category names can be produced by running 
the module in "state=searched" - possibly that would help you find a 
missing category name?

On Tuesday, February 25, 2020 at 7:00:26 AM UTC-6, Andre Gronwald wrote:
>
> hi, i had a look into the issue again.
> it seems that some updates were filtered because of the categories. that 
> is ok (.net is featurepack). but i don't know why the sql server sp2 gdr 
> wasn't found (
> https://support.microsoft.com/en-us/help/4532097/description-of-the-security-update-for-sql-server-2016-sp2-gdr-feb
> )
>
> any idea? manually i was able to install it on the server, it was found 
> immediately when searching for updates.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/51b2647a-91f8-413f-ae27-6a1e52e11955%40googlegroups.com.

[ansible-project] Re: Building a VM using Ansible Tower

[Dan Linder]

> I'm not sure if there is a difference in vmware_guest module for Tower or 
with versions. 

If the output is the same between Ansible Engine and Ansible Tower, then 
that would be my first though.  Check the versions Tower and your test 
system are using and make sure Tower is the same version.


On Friday, February 21, 2020 at 5:58:21 PM UTC-6, Sindhu Rao wrote:
>
> I'm building a VM on Vcenter with a playbook that runs fine and creates a 
> VM when executed from the Ansible server but fails to create a VM when the 
> same playbook is executed from ANsible Tower.
> I do not see any syntax errors and I see the same job output on both the 
> Ansible server and on Ansible Tower. I'm not sure if there is a difference 
> in vmware_guest module for Tower or with versions. 
>
> My playbook is
> ---
> - name: Create a VM
>   vmware_guest:
> hostname: "{{ hostname_esxi }}"
> username: ansible.pfshq.com
> password: #
> validate_certs: False
>
> datacenter: "{{ datacenter }}"
>
> resource_pool: "{{ resource_pool_esxi }}"
> cluster: "{{ cluster_esxi }}"
> guest_id: "{{ guest_id }}"
> folder: "/{{ datacenter }}/vm"
> state: poweredon
> annotation: "{{ annotation }}"
> # hostname gets passed in command line as extra arguments -e 
> hostname=xxx
> name: "{{ hostname }}"
> hardware:
>   memory_mb: "{{ memory_esxi }}"
>   num_cpus: "{{ cpu_esxi }}"
>   scsi: "{{ scsi_esxi }}"
> wait_for_ip_address: yes
> disk:
> - size_gb: "{{ disk_size_1 }}"
>   type: "{{ disk_type }}"
>   
>   datastore: "{{ datastore_cluster_1 }}"
> - size_gb: "{{ disk_size_2 }}"
>   type: "{{ disk_type }}"
>
>   datastore: "{{ datastore_cluster_2 }}"
> networks:
> - name: "{{ network_name }}"
>   domain: "{{ domain }}"
>   device_type: "{{ device_type }}"
>   dns_servers:
>   - "{{ dns1 }}"
>   - "{{ dns2 }}"
>   delegate_to: localhost
>   register: VM
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/a9d9497e-63ea-4e1b-924c-856d46ac478b%40googlegroups.com.

[ansible-project] Re: Windows updates found but not installed

[Dan Linder]

Can you include a simplified playbook showing the steps you're performing?

Were the systems pending a reboot from a previous update?

On Saturday, February 22, 2020 at 8:38:35 AM UTC-6, Andre Gronwald wrote:
>
> hi,
> i tried to update some sql-servers with ansible (awx).
> overall it worked fine, but some updates (latest sql-server 2016 sp2 and 
> .bnet-framework) werde detected referring to windows updsate logfile but 
> not installed.
> whe installing those updates manually on some servers ifound further 
> updates for office that have not been installed.
>
> how can i install those updates by windows update module in ansible? i 
> tried different categories for the update, but it didn't change anything.
> any help would be appreciated.
>
> kind regards,
> andre
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/93315d9d-64a6-4597-a3ba-9cae698bcf7a%40googlegroups.com.

[ansible-project] Re: root user password needs to set for many servers however the password should be different password, not to be same

[Dan Linder]

Great to hear!  Thanks for the feedback.

On Wednesday, September 18, 2019 at 11:18:03 AM UTC-5, Deepan M wrote:
>
> Thank you Dan Linder, playbook is working perfect.
>
> Regards,
> Deepan M
>
> On Tuesday, September 17, 2019 at 10:06:25 PM UTC+5:30, Deepan M wrote:
>>
>> Hi,
>>
>> manually login to each servers and setting root password,  login to 
>> server1,  set password "password123" ;  then login to server2 set 
>> password "redhat123" like this i'm looking for ansible playbook, where i 
>> can automate for 100+servers.
>>
>> Idea looking forward:- 
>> 1, Random password needs to be generated.
>> 2, on each server, root user password should be reset by picking up from 
>> random password.
>>
>> Note:- For security reason, we are resetting root password on monthly 
>> basis and those password should be generated randomly and reset.
>>
>> Thanks,
>> Deepan M
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/608628dd-ecca-4815-ba0b-4f14edc37243%40googlegroups.com.

[ansible-project] Re: root user password needs to set for many servers however the password should be different password, not to be same

[Dan Linder]

If you're ok with Ansible generating the password for you then storing it 
on the machine you ran the playbook from, then the `password` plugin might 
help a bit.

Assuming you have an inventory of servers and you're OK with saving the 
latest password to "/tmp/root.password.hostname.txt", I believe something 
like this will do what you're looking for:

- name: Force new root password
  user:
name: root
password: "{{ lookup('password', '/tmp/root.password.{{ inventory_hostname 
}}.txt length=60 chars=ascii_letters,digits,punctuation') | 
password_hash('sha512', 100 | random(seed=inventory_hostname) | string ) }}"
update_password: always


This will generate a random password of ASCII letters, digits and 
punctuation, the password will be 60 characters long, and the plain-text of 
it will be stored in /tmp/root.password.{hostname}.txt for each system.

The "password_hash()" modifier on the "password:" line hashes the password 
so the "user:" module can use it.  It also assumes that the system getting 
the new password can handle SHA512 passwords.  It also uses the 
"inventory_hostname" to ensure that the hashed password is idempotent 
between runs. The "100|...|string" uses the name of the system being 
worked on as a random seed and picks a pseudo-random value to use for the 
password hash.

NOTE: The first time this is run, the /tmp/root.password.{hostname}.txt 
file is created and used.  The next time you run it, since that file exists 
it will re-use that raw password and not change it.  To change the root 
password of that server, either delete the file and a new random password 
will be assigned, or create your own password and put it in this file.

On Tuesday, September 17, 2019 at 11:36:25 AM UTC-5, Deepan M wrote:
>
> Hi,
>
> manually login to each servers and setting root password,  login to 
> server1,  set password "password123" ;  then login to server2 set 
> password "redhat123" like this i'm looking for ansible playbook, where i 
> can automate for 100+servers.
>
> Idea looking forward:- 
> 1, Random password needs to be generated.
> 2, on each server, root user password should be reset by picking up from 
> random password.
>
> Note:- For security reason, we are resetting root password on monthly 
> basis and those password should be generated randomly and reset.
>
> Thanks,
> Deepan M
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/ce3b0a8d-a359-4a07-949f-9a65633fa7d2%40googlegroups.com.

Re: [ansible-project] Re: Thoughts on Dynamic Variables

[Dan Linder]

Dang!  @Karl Auer beat me to this example. :)

Depending on your needs and comfort level, here are two examples with 
sample output.

The first "userlistA" is closer to your original example and has each list 
with a name that is not consistent with the server_type variable.  That 
leads to the first three "when" clauses to set the userlist variable based 
on the server_type provided.

The second section using "userlistB" uses the server_type variable to 
select the correct user list from the dictionary - it's a single task in 
the playbook as opposed to three or more for the first method.

Here is my example playbook named "dynvar.yml":

 hosts: localhost
  gather_facts: false
  vars:
server_type: standard_server
userlistsA:
  list1:
users: 'user1,user2,user3'
  list2:
users: 'user4,user5,user6'
  list3:
users: 'user7,user8,user1'

userlistsB:
  db_server:
users: 'user1,user2,user3'
  web_server:
users: 'user4,user5,user6'
  standard_server:
users: 'user7,user8,user1'

  tasks:
  - name: "Users for db_server - option A"
set_fact:
  userlist: '{{ userlistsA.list1 }}'
when: server_type=="db_server"

  - name: "Users for web_server - option A"
set_fact:
  userlist: '{{ userlistsA["list2"] }}'
when: server_type=="web_server"

  - name: "Users for standard_server - option A"
set_fact:
  userlist: '{{ userlistsA.list3 }}'
when: server_type=="standard_server"

  - debug:
  msg: "Option A - Users setup for {{ server_type }} - {{ userlist }}"

  - name: "Users for {{ server_type }} - option B"
set_fact:
  userlist: '{{ userlistsB[server_type] }}'

  - debug:
  msg: "Option B - Users setup for {{ server_type }} - {{ userlist }}"

Running this with `ansible-playbook ./dynvar.yml` produces this output:

Output:

* [WARNING]: provided hosts list is empty, only localhost is available. Note 
that the implicit localhost**does not match 'all'*


PLAY [localhost] 
**

TASK [Users for db_server - option A] 
*skipping: 
[localhost]

TASK [Users for web_server - option A] 
skipping: 
[localhost]

TASK [Users for standard_server - option A] 
***ok: [localhost]

TASK [debug] 
**ok:
 [localhost] => {"msg": "Option A - Users setup for standard_server - 
{'users': 'user7,user8,user1'}"}

TASK [Users for standard_server - option B] 
***ok: [localhost]

TASK [debug] 
**ok:
 [localhost] => {"msg": "Option B - Users setup for standard_server - 
{'users': 'user7,user8,user1'}"}

PLAY RECAP 
localhost
  : ok=4changed=0unreachable=0failed=0skipped=2 
   rescued=0ignored=0   



On Tuesday, September 3, 2019 at 9:03:02 AM UTC-5, Karl Auer wrote:
>
> You could use set_fact: stanzas instead, with when: clauses.
>
> - set_fact:
> user_list: 'user1, user2, user3'
>   when: server_type = 'db_server'
>
> Even better, use lists rather than strings. You can always turn one into 
> the other, and lists are more flexible:
>
> - set_fact:
> user_list: ['user1', 'user2', 'user3']
>   when: server_type = 'db_server'
> Or something like this:
> vars:
>db_users: ['user1', 'user2', 'user3']
>web_users: ['user4', 'user5', 'user6']
>standard_users: 'user7', 'user8', 'user9']
>
> - set_fact:
> user_list: "{{ db_users }}"
> when: server_type = 'db_server'
> Or this:
> vars:
>user_groups:
>   {
>  'db_server': ['user1', 'user2', 'user3'],
>  'web_server': ['user4', 'user5', 'user6'],
>  'standard_server': ['user7', 'user8', 'user9']
>   }
>
> - set_fact:
> user_list: "{{ user_groups[ server_type ] }}"
>
> The syntax is off the top of my head so probably full of errors, but it 
> should give you some ideas.
>
> Regards, K.
>
> On Tue, Sep 3, 2019 at 11:28 PM Cade Lambert  > wrote:
>
>> The problem I come across is I'll need logic to decide on the content of 
>> a variable and that logic will turn into a long string.  For example, when 
>> determining which users to add to a system, we might have a variable like:
>>
>> user_list: "{{ 'user1,user2,user3' if server_type=db_server else 
>> 'user4,user5,user6' if server_type=web_server else 'user7,user8,user1' if 
>> server_type=standard_server }}'
>>
>> These can get pretty long depending on what we're trying to do, and 
>> fairly hard to read. I 

[ansible-project] Re: Thoughts on Dynamic Variables

[Dan Linder]

A lot of our builds have site or subnet specific differences so we use 
Ansible facts to include specific YML files for either additional variables 
or branching the execution.

For example, to choose the proper method to install VMware tools on our 
systems (RHEL 6 vs 7, and internet access or not) we use something like 
this:

- name: "Include the appropriate OS steps."
  include: "{{ role_path }}/tasks/OSsetup-{{ osver }}-{{ 
vmwaretools_local|bool }}.yml"

Basically the "osver" variable is set earlier based on the OS name 
("RedHat" vs "Debian" vs "Ubuntu"), then use the variable 
"vmwaretools_local" to know if we need to get from a local repo 
(internally) or from the VMWare.com Internet site.

On Friday, August 30, 2019 at 9:50:00 AM UTC-5, Cade Lambert wrote:
>
> I wanted to see how you guys go about building dynamic variables.  We have 
> some playbooks/roles that require variables to be built based on various 
> things, such as user input or other variables.  I usually end up building a 
> long line of 'if-then-else' statements, which can be difficult to read and 
> troubleshoot. Is there a better way to go about this?  How do you all 
> tackle this?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/a64f0d23-f5c7-4582-87bd-479fdafef492%40googlegroups.com.

[ansible-project] Re: best way to test for a condition and report it

[Dan Linder]

Ansible is really designed to put a system configuration into a state, so 
checking for a possible state is a bit trickier.

But, you could run the playbook in check-only mode, then register the 
result of the change, then use the results "changed" flag in your script to 
get the report.

For instance, in check-only mode you can say "inbalancer=absent" then any 
that register "changed == true" you know are not absent, and any that are 
"changed == false", you know are already absent.

This is harder if your state has multiple possibilities (e.g. network port 
speeds: 10Mbit, 100Mbit, 1Gbit, 10Gbit), but still do-able with the 
external script.

Dan

On Tuesday, August 13, 2019 at 8:39:55 AM UTC-5, Ed Greenberg wrote:
>
> Hi, I have an ansible module that adds and removes servers from the load 
> balancer.  If I do:
>
> ansible localhost -m modulename -a 'servername=foo inbalancer=present'  
>
> it adds the module to the load balancer and reports changed if it wasn't 
> there before, and not changed if it was already there. 
>
> Same for 'inbalancer=absent'  It takes the server out of the load balancer 
> and reports changed or not changed. 
>
> So I know if the server is in the balancer when I start through this 
> section of the code.
>
> I'd like to have the module set a variable that can be (a) reported on the 
> output and (b) tested for in a playbook.  I'm more interested in reporting, 
> so I can have a shell script that reports the state of my load balancer and 
> all it's servers.
>
> After much reading, I think I need to ask for an approach.
>
> Thanks, 
>
> Ed Greenbert
>
>
>
>
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/d487375e-b077-4dbe-8c09-3488c1312803%40googlegroups.com.

[ansible-project] Re: set, read, and use vars from csv or csv2yml file

[Dan Linder]

What is the exact error message you're getting?

I only slightly agree with Mr. Fellers response ("create a custom vars 
plugin"), but in your case that might be overkill.  I've seen teams that 
have a developer write some custom code that breaks soon after he/she 
leaves and then they are stuck with a bigger mess than if they had tried to 
work with Ansible included modules.

On Sunday, August 4, 2019 at 9:13:31 AM UTC-5, gerard moisset wrote:
>
> i'm trying to write playbook to downlaod packages from repo.
>
> here is my try.
>
> csv data
> ===
>
> cat {{ansibleDir}}/temp/csv_data:
>
> module;goroco;repo
> tzdata-26d;G01R01C01;dnc
> ansible-26d;G00R00C00;dnc-unstable
> webadmi-26d;G01R01C02;dnc-unstable
>
>
> csv2yml file python script
> 
>
> cat {{ansibleDir}}/csv2yml.py:
>
>
> #!/usr/bin/env python
>
> import csv
> import sys
> import yaml
>
> csv_data = []
> with open(sys.argv[1]) as csvfile:
> reader = csv.DictReader(csvfile)
> for row in reader:
> csv_data.append(row)
>
> with open(sys.argv[1] + '.yml', 'w') as outfile:
> outfile.write(yaml.dump({'csv_data': csv_data}))
>
>
>
> ymlFromCsv file
> 
>
> cat {{ansibleDir}}/temp/csv_data.yml:
>
> csv_data:
> - {module;goroco;repo: tzdata-26d;G01R01C01;dnc}
> - {module;goroco;repo: ansible-26d;G00R00C00;dnc-unstable}
> - {module;goroco;repo: webadmi-26d;G01R01C02;dnc-unstable}
>
>
> playbook
> =
>
> try do downlaod package from repo
>
>
> ---
> - hosts: localhost
>   connection: local
>   become: false
>   gather_facts: false
>
>
>   vars_files:
> - /home/ansible/temp/csv_data.yml
>   tasks:
> - name: parse csv and make vars file
>   command: "python /home/ansible/scripts/csv2yml.py 
> /home/ansible/temp/csv_data"
> - debug: var=csv_data
>
>
>
> - name: define vars
>   include_vars:
> file: "/home/ansible/temp/csv_data.yml"
> 
>
> missing task
> 
>
> 
> 
> 
> i need task to be defined either from csv_data, or csv_data.yml, iterating 
> on,
>
> curl -v --remote-name --proxy {{ proxy }} --proxy-user {{ credentials }} 
> {{ downloadUrl }}/{{ delivery.repo }}/{{ delivery.module }}/{{ 
> delivery.goroco }}/PL-{{ delivery.module }}-{{delivery.goroco }}.tar
>
> but i've not yet found the way to reuse my vars.
>
> any help is welcome.
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/dee43eaf-db55-4105-adc0-9a24d0a236a1%40googlegroups.com.

Re: [ansible-project] using different remote_user until success

[Dan Linder]

On Monday, July 8, 2019 at 2:41:54 PM UTC-5, william...@gmail.com wrote:
>
> So, it will run include-3.yml 3 times?  And one will succeed?
>

Yes - in my testing, I added a good user account to use, and that one ran 
the ping successfully.
 

> I obviously have a number of tasks to run after this…
>

In my scenariou we have a number of system that might use one of a number 
of different accounts - the list of what account is used where has been 
lost to time.

With a script like this we could have it run through a large list of 
accounts and note which one(s) succeed for each host.  After that is done, 
we then run a fix-it script to either update the systems to use a 
consistent account, or we update our system database so the proper account 
is known.  Regardless of which direction is gone, it is then easy to 
generate an inventory with the appropriate login account so Ansible can 
access them properly without having to try all the keys.

Also it seem strange that assigning variable to remote_user seems to only 
> work once – is that correct?
>

Not sure - I didn't dig into the code to check.
 

> I actually dug down into the source and the ssh.py  connection plugin and 
> it didn’t look as though it would be a big deal to pass a list to it but I 
> don’t particularly want to wind up with my ‘own’ version of ansible plugins 
> so unless someone thought it was worthwhile having then I probably won’t.
>

I really shy away from mucking with the deep internals - especially when 
that code will probably get updated over time and future updates will 
overwrite my changes.
 

> Saying that, as AWS instances do have different user accounts according to 
> flavor, and you can’t get the flavor without connecting, it seems like it  
> might be useful?
>

I think so, yes.

Dan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/48793d24-72dc-4f3e-bc64-93b490f34f88%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-project] using different remote_user until success

[Dan Linder]

Are you opposed to using a second playbook and using the "include:" module 
like this?

---
- hosts: all
  gather_facts: false
  tasks:
  - name: try users
#remote_user: "{{ item }}"
include: include-3.yml
vars:
  my_remote_user: "{{ item }}"
with_items:
  - centos
  - root
  - ec2-user

Then the "include-3.yml" file looks like this:
---
- name: try users
  remote_user: "{{ my_remote_user }}"
  ping:
  ignore_unreachable: true
  failed_when: false

This then tries to connect with each user:
 ESTABLISH SSH CONNECTION FOR USER: centos
 ESTABLISH SSH CONNECTION FOR USER: root
 ESTABLISH SSH CONNECTION FOR USER: ec2-user


On Monday, July 8, 2019 at 11:16:47 AM UTC-5, william...@gmail.com wrote:
>
> Sorry, pressed send inadvertently there... 
>
> -Original Message- 
> From: william...@gmail.com   > 
> Sent: Monday, July 8, 2019 10:09 AM 
> To: ansible...@googlegroups.com  
> Subject: RE: [ansible-project] using different remote_user until success 
>
> Hi Brian, this seemed like a good way to do it, but I haven't been able to 
> make it work - I haven't done much logic in my plays... mostly just point 
> and shoot tasks. 
>
> --- 
> - hosts: test 
>   gather_facts: false 
>   tasks: 
>   - name: try users 
> remote_user: "{{ item }}" 
> ping: 
> ignore_unreachable: true 
> failed_when: false 
> with_items: 
>   - centos 
>   - root 
>   - ec2-user 
>
> When I run this, it loops 3 times, and at the start of each I get... 
>
>  ESTABLISH SSH CONNECTION FOR USER: centos 
>
> failed: [xxx.xxx.xxx.xxx] (item=centos) => { 
> "ansible_loop_var": "item", 
> "item": "centos", 
>
> < xxx.xxx.xxx.xxx > ESTABLISH SSH CONNECTION FOR USER: centos 
>
> failed: [xxx.xxx.xxx.xxx] (item=root) => { 
> "ansible_loop_var": "item", 
> "item": "root", 
> "msg": "Failed to connect to the host via ssh: Permission denied 
> (publickey,password).", 
> "unreachable": true 
> < xxx.xxx.xxx.xxx > ESTABLISH SSH CONNECTION FOR USER: centos 
> failed: [xxx.xxx.xxx.xxx] (item=ec2-user) => { 
> "ansible_loop_var": "item", 
> "item": "ec2-user", 
> "msg": "Failed to connect to the host via ssh: Permission denied 
> (publickey,password).", 
> "unreachable": true 
> } 
>
> So the item is changing, but it seems that you can only set remote_user 
> once? 
>
> I assume remote_user is what I should be using in the playbook? 
>  Ansible_user in the config file and remote_user in the playbook right? 
>
> This seems like great solution if I could get it to work. 
>
> Any advice would be hugely appreciated at this point. 
>
> Regards 
> Bill 
>
>
> -Original Message- 
> From: ansible...@googlegroups.com  <
> ansible...@googlegroups.com > On Behalf Of Brian Coca 
> Sent: Friday, July 5, 2019 8:10 AM 
> To: Ansible Project > 
> Subject: Re: [ansible-project] using different remote_user until success 
>
> loop a ping task over the users and use 'ignore_unreachable' and 
> failed_when: false to keep running that task, register the result and set 
> ansible_user using the results. 
>
>
> -- 
> -- 
> Brian Coca 
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Ansible Project" group. 
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ansible...@googlegroups.com . 
> To post to this group, send email to ansible...@googlegroups.com 
> . 
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ansible-project/CACVha7ewm22AQ7h9vG7qkfRL37-Zy8w7izdEGqQCD6trNrfKSw%40mail.gmail.com.
>  
>
> For more options, visit https://groups.google.com/d/optout. 
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/3a43d047-2da0-479f-b7e5-b3e1f286476a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Ansible usage of puppet "facter" not working in some hosts

[Dan Linder]

Since you have at least one working and one failing machine (presumably of 
the same OS version), can you compare the "rpm -qa" output and see what's 
different between the two just in case it's a simple package that was 
missing?

On Sunday, June 16, 2019 at 2:10:04 PM UTC-5, Thomas Spear wrote:
>
> Hi all,
>
> I have an environment setup where we have puppet applying configuration 
> management, and ansible is used to make approved one-off changes.
>
> As part of a playbook, we pull the facter_installed_rpms fact into a 
> variable within the play and check for the presence of a given RPM. This is 
> simpler than using the command module to do rpm -qa, and practically the 
> only way to do this since the rpm module doesn't seem to provide an option 
> to query installed modules without making a change.
>
> In the majority of our hosts, this works fine without issues.
> But in a few servers, I'm getting an error from ansible that 
> "facter_installed_rpms" is undefined.
> Additionally, when I run "ansible localhost -m setup -a 
> 'gather_subset=!all,!any,facter' " I'm unable to see any facter_* facts in 
> the output, and as such, ansible fails when this fact is not defined.
> Whereas on the working host, the above command shows facter_* facts (as 
> documented by the setup module's documentation page)
>
> Notes 
>  
> 
>
> Note
>
>- More ansible facts will be added with successive releases. If 
>*facter* or *ohai* are installed, variables from these programs will 
>also be snapshotted into the JSON file for usage in templating. These 
>variables are prefixed with facter_ and ohai_ so it’s easy to tell 
>their source. All variables are bubbled up to the caller. Using the 
> ansible 
>facts and choosing to not install *facter* and *ohai* means you can 
>avoid Ruby-dependencies on your remote systems. (See also facter 
>
> 
> and ohai 
>
> 
>.)
>
>
> I have narrowed this down to the point where I'm fairly confident that its 
> something in the puppet configuration being sent from the puppet compile 
> masters, rather than the ansible configuration.
>
> The working hosts connect to one set of compile masters while the 
> non-working hosts connect to another different set of compile masters. So I 
> think something in the code (or maybe in the system environment as a result 
> of the puppet code) between the two sets of compile masters is different, 
> but I haven't the faintest idea what it might be.
>
> That being said, I am hoping that I can do some additional probing of the 
> ansible setup module to find out what is different so I can identify the 
> root cause for this discrepancy, but I'm not sure what all I should try.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/239c4f99-8d5a-42c5-b88a-c19d208bd73e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Merging of "win_*" with their non-OS specific siblings?

[Dan Linder]

Are there plans to merge the various Windows specific modules into their 
non-OS specific module twins?  I'm thinking more of things like "win_ping", 
"win_copy", "win_command", "win_file", "win_shell", "win_tempfile", 
"win_template", "win_uri", "win_user", etc.

There are plenty of Windows specific calls that don't make sense to merge 
(e.g. "win_domain_controller", "win_domain_computer", etc) so I get those 
should stay separate.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/a2bcd0af-2758-4f0b-b6ce-fe30dbb3846d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: How to use vars to work with to_datetime

[Dan Linder]

You're using the "debug:" module to set the "msg" variable so the date 
value isn't in the "{{ msg }}" variable, rather it's in the "{{ msg.msg }}" 
variable.

Try these lines in stead:
  - name: FIXED - age of file in days stored in msg
set_fact:
  msg: "{{ (ansible_date_time.epoch|int - 
file_age.stat.mtime|int)/(86400|round|int) }}"

  - name: FIXED - Show msg
debug:
  var: msg

  - name: FIXED - Show msg as integer
debug:
  msg: " Your file is {{ msg|int }} days old"

That then stores the computation done in the "set_fact:" module in the 
"msg" variable as expected.

On Thursday, May 2, 2019 at 6:30:10 AM UTC-5, Andy Magana wrote:
>
> So I have resolved my issue thanks to others advice what worked is to 
> 1. stat the file get its mtime and
> 2. register and 
> 3. assign it to a variable and the same for the current date and 
> 4. put both variables  and include to convert them to an INT into a jinja 
> subtraction arithmetic and divide all inside the jinja {{ }}
> 5. register the sum total and include the INT
> 6. add another debug and msg to output SUM as a whole number instead of a 
> float. 
>
>
>
>
>
> [root@ansible ansible]# ansible-playbook mystat.yml 
>
> PLAY [localhost] 
> *
>
> TASK [Gathering Facts] 
> ***
> ok: [localhost]
>
> TASK [stat] 
> **
> ok: [localhost]
>
> TASK [debug] 
> *
> ok: [localhost] => {
> "file_age.stat.mtime": "1556662665.1"
> }
>
> TASK [debug] 
> *
> ok: [localhost] => {
> "ansible_date_time.epoch": "1556746971"
> }
>
> TASK [age of file in days] 
> ***
> ok: [localhost] => {
> "msg": "0.97576389"
> }
>
> TASK [debug] 
> *
> ok: [localhost] => {
> "msg": {
> "changed": false, 
> "failed": false, 
> "msg": "0.97576389"
> }
> }
>
> TASK [debug] 
> *
> ok: [localhost] => {
> "msg": " Your file is 0 days old"
> }
>
> PLAY RECAP 
> ***
> localhost  : ok=7changed=0unreachable=0failed=
> 0   
>
> [root@ansible ansible]# 
>
> AND my playbook looks like this above is the results. 
>
>
> ---
> - hosts: localhost
>   user: ansible
>   become: true
>   tasks:
>   - stat:
>   path: /etc/ansible/ansible.cfg
> register: file_age
>
>   - debug:
>   var: file_age.stat.mtime
>
>   - debug:
>   var: ansible_date_time.epoch
>
>   - name: age of file in days
> debug:
>   msg: "{{ (ansible_date_time.epoch|int - 
> file_age.stat.mtime|int)/(86400|round|int) }}"
> register: msg
>
>   - debug:
>   var: msg
>
>   - debug:
>   msg: " Your file is {{ msg|int }} days old"
> ~ 
> 
>
>
>
> On Wednesday, May 1, 2019 at 9:51:06 PM UTC-5, d...@linder.org wrote:
>>
>> It's hard without the actual playbook, but I think you need to use 
>> 'current.stdout' inserted of just 'current' in that last task.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/0665a41c-808d-44e6-a076-d92b69b4839b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: How to try one task in Ansible ?

[Dan Linder]

Your second question:

> But when i run my script with module command or script or shell, the state 
> is changed but i'm not rassure if all task in my script is execut ...?


When you use the `script:` module, anything that script does on your remote 
system is outside of the control of Ansible.

It is up to you or the developer of the script to ensure that "all task in 
my script [are] executed".  Does your script have adequate error checking, 
does it check for dependencies with other tools, is it running as the right 
account?

Your first question:

> I want verify if my script is well execut and all task in my script is ok.
>

Are you asking how you can setup your playbook so that Ansible can 
determine if the script is executable on the remote machine?

If you like, you could add some sanity checking to the top of the 
"script.sh" that only executes with a specific flag you pass to it from the 
Ansible execution.  For example, if you add a simple "if" condition to it 
that looks for a command argument `--test_by_ryad`, when that argument is 
found, the script does whatever checking you need, then exits with a 
successful exit code (0), or exits with a failure (1) if it is not.  You 
then setup a two step playbook:

- name: "Verify my script"
  script: ./script.sh --test_by_ryad
  delegate_to: localhost

- name: "Execut my script shell"
  script: ./script.sh
  register: result
  delegate_to: localhost

If the first "Verify my script" will run your script in your "test mode" 
and if it exits with a failure, the playbook will stop.  If it exits 
successfully it will continue to execute the script without your test 
parameter and do whatever your script is designed to do.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/b906c39d-e237-4d93-b817-1118199818c4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Delete based on directory size

[Dan Linder]

Does this help?

I created a directory structure with four files:
$ find /tmp/dirsize/ -ls | cut -c 18-
drwxrwxr-x   5  dan  dan   100 May 11 14:59 /tmp/dirsize/
drwxrwxr-x   2  dan  dan60 May 11 15:00 /tmp/dirsize/d3
-rw-rw-r--   1  dan  dan   5242880 May 11 15:00 /tmp/dirsize/d3/5M.
file
drwxrwxr-x   2  dan  dan60 May 11 15:00 /tmp/dirsize/d2
-rw-rw-r--   1  dan  dan   3145728 May 11 15:00 /tmp/dirsize/d2/3M.
file
drwxrwxr-x   2  dan  dan80 May 11 15:00 /tmp/dirsize/d1
-rw-rw-r--   1  dan  dan   3145728 May 11 15:00 /tmp/dirsize/d1/3M.
file
-rw-rw-r--   1  dan  dan   6291456 May 11 14:59 /tmp/dirsize/d1/6M.
file

Then using this playbook:
---
- hosts: all
  gather_facts: false


  vars:
log_dir: "/tmp/dirsize/"
max_dirsize: 4
max_logsize: 4


  tasks:


  - name: Test using du command
shell: du -sm "{{ log_dir }}"/*
register: du_files
changed_when: false


  - name: "Work on directories greater than {{ max_dirsize }}m in {{ 
log_dir }}"
debug:
  msg: "Files- {{ item.split('\t')[1] }} - {{ item.split('\t')[0] }}m"
when: item.split('\t')[0]|int >= max_dirsize|int
with_items: "{{ du_files.stdout_lines }}"

The playbook runs and uses the "du" command to find the size of all the files 
and directories, then that list is parsed to find only those items that are 
larger than "max_dirsize" MB.


$ ansible-playbook dirsize.yml --connection local -i localhost,

PLAY [all] 
*

TASK [Test using du command] 
***ok:
 [localhost]

TASK [Work on directories greater than 4m in /tmp/dirsize/] 
ok: [localhost] 
=> (item=9  /tmp/dirsize/d1) => {"msg": "Files- /tmp/dirsize/d1 - 
9m"}skipping: [localhost] => (item=3  /tmp/dirsize/d2) ok: [localhost] => 
(item=5 /tmp/dirsize/d3) => {"msg": "Files- /tmp/dirsize/d3 - 5m"}

PLAY RECAP 
*localhost
  : ok=2changed=0unreachable=0failed=0   


Replace the "debug:" module call with the action(s) you want to take on those 
large files.


On Saturday, May 11, 2019 at 7:00:16 AM UTC-5, Nicholas Britton wrote:
>
> I have been looking for a module for something similar to the du command. 
> I would like to have a play that looks at the log directory to detect if 
> it's a certian size or larger and if so find the sub folders with gbs of 
> data and remove or tar that data up.  
>
> So far I am not finding that and parsing the return of the du command is 
> not is not somethig I am having luck with. 
>
> Has anyone tried to do something similar? Have any ideas or pointers for 
> me?
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/b14aa866-c695-4fff-a507-4546e655d2bb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-project] Re: don't print statement if "command not found" and compare variable value with list of values

[Dan Linder]

Correction to my previous email:
You *COULD* run a play right before it that registers the full path of
`systemctl` found on the system (maybe use `shell: which systemctl`), but
that is not a stable method in some cases.  I suggest using `systemd:` with
the OS version check if needed.

On Fri, Nov 16, 2018 at 9:31 PM  wrote:

> I'd suggest not using the `shell:` module, instead use the `systemd:`
> module.
>
> Then setup the `when:` clause with a third that only executes this play on
> OS versions that have `systemctl` (e.g. RHEL 7+, etc).  You run a play
> right before it that registers the full path of `systemctl` found on the
> system (maybe use `shell: which systemctl`).
>
> Something like this:
>  - name: manage services using systemctl
>tags:  manage services using systemctl
>systemd:
>  name: {{servicesList}}
>  state: {{actionTodo}}
>with_items:
>  - "{{servicesList}}"
>when:
>  - ansible_os_family == "RedHat" and ansible_lsb.major_release|int
> >= 7
>  - actionTodo != ""
>  - servicesList != ""
>ignore_errors: true
>register: p2
>
>
> On Friday, November 16, 2018 at 8:06:40 AM UTC-6, moisset...@gmail.com
> wrote:
>>
>> i'm trying this in a playbook:
>>
>> ..
>> vars:
>>actionTodo: "{{ variable_actionTodo }}"
>>servicesList: "{{ variable_servicesList }}"
>>actionTodo_list: [start,stop,rstart,rstop,status,rstatus]
>> ..
>>
>>  - name: manage services using systemctl
>> tags:  manage services using systemctl
>> shell:  systemctl {{actionTodo}} {{servicesList}}
>> with_items:
>>   - "{{servicesList}}"
>> when: actionTodo != "" and  servicesList != ""
>> ignore_errors: true
>> register: p2
>>
>>
>>   - debug:
>>   var: p2
>>
>> i'd like to compare:
>> - actionTo value with value from actionTo_list
>> - and avoid printing "command not found"  node without systemctl
>>
>>
>> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Ansible Project" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ansible-project/JLS67ALa3AU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ansible-project+unsubscr...@googlegroups.com.
> To post to this group, send email to ansible-project@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/b662b375-3856-4da9-8af4-c449285db436%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>


-- 
* * *** *** * *** **
"If you wish to make an apple pie from scratch,
  you must first invent the universe."
  -- Carl Sagan

"Quis custodiet ipsos custodes?"
(Who can watch the watchmen?)
-- from the Satires of Juvenal

"I do not fear computers, I fear the lack of them."
-- Isaac Asimov (Author)
** *** * *** *** * *

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAGYusaNHuQc%2B7DoL6_7-MFk1uf_ZRvhePwnLX%3DAoGLjCpK9H2A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-project] getting error when i set ssh-agent for root user

[Dan Linder]

If the ssh-agent must be running for your installer to complete, then
you'll probably have to run it after the ssh-add:

- name: Add and load private key to ssh-agent* and start installer*
  shell: "eval `ssh-agent -s` && ssh-add ~/.ssh/id_rsa* &&
/path/to/installer*"

My gut feeling is that there's something missing that would make your task
a lot easier and not need the ssh-agent/ssh-add processes.

On Sun, Sep 30, 2018 at 5:47 PM pranay varankar 
wrote:

> Hi Dan,
>
> Actually we install some of my on-premises software on remote machine but
> we required ssh-agent configured on that remote machine to install this
> software.
>
> without authenticate with that keys we can not able to install this
> software on my remote machine.
>
> is their any way to check the below task was running properly on my remote
> machine.
>
> - name: Add and load private key to ssh-agent
>   shell: "eval `ssh-agent -s` && ssh-add ~/.ssh/id_rsa"
>
> On Mon, Oct 1, 2018 at 2:26 AM Dan Linder  wrote:
>
>> Hi Pranay,
>>
>> You asked, is "task i wrote in playbook in correct or not ?"
>>
>> Based on the output from your playbook provided earlier, the
>> tasks/commands ("ssh-agent" and "ssh-add") ARE being executed on the remote
>> machine without error - the yellow "changed:" response notes that the
>> "shell:" module ran and the two commands did not return an error.
>>
>> Back to the question we asked earlier, what are you trying to get setup
>> by running these steps?
>>
>> Until you can tell us what you're trying to do exactly by running these
>> commands, we can't really help you further.  You've setup the "shell:"
>> module properly and the commands run without error.  Until we know what
>> you're trying to do later we can't provide any further assistance.
>>
>> On Sunday, September 30, 2018 at 2:25:38 PM UTC-5, pranay varankar wrote:
>>>
>>> Hi Dan,
>>>
>>> Thanks for providing information.
>>>
>>> Actually, I have already add key file to client machine.
>>>
>>> I have a question ...The task i wrote in playbook in correct or not ? if
>>> it wrong can you send me the correct task to perform those command on
>>> client machine.
>>>
>>> - name: Add and load private key to ssh-agent
>>>   shell: "eval `ssh-agent -s` && ssh-add ~/.ssh/id_rsa"
>>>
>>>
>>>
>>> On Sun, Sep 30, 2018 at 11:45 PM Dan Linder  wrote:
>>>
>>>> The "ssh-agent" and "ssh-add" are usually run on a system as a specific
>>>> user to add an SSH key to a temporary 'keychain' so any subsequent SSH
>>>> commands can automatically (and without prompting) use a specific ssh key
>>>> to connect to a second system.
>>>>
>>>> When you run them in the Ansible "shell" module, it's running those on
>>>> the remote system and once that module completes, the ssh keychain process
>>>> ("ssh-agent") is closed and it goes away.
>>>>
>>>> As  Johnathan asked, what are you trying to get setup by running these
>>>> steps?  It looks like you're trying to get it setup so you can SSH into the
>>>> "ubuntu-target" system as root using the "id_rsa" key on "ubuntu" .  (But
>>>> since your ansible-playbook command doesn't prompt for credentials, it
>>>> appears you already have the shared ssh key setup, so I'm confused what
>>>> larger problem you're trying to solve...)
>>>>
>>>> On Sunday, September 30, 2018 at 5:52:41 AM UTC-5, pranay varankar
>>>> wrote:
>>>>>
>>>>> Hi Jonathan,
>>>>>
>>>>> I use below task in my playbook,
>>>>>
>>>>> - name: Add and load private key to ssh-agent
>>>>>   shell: "eval `ssh-agent -s` && ssh-add ~/.ssh/id_rsa"
>>>>>
>>>>> When i run playbook no error found,
>>>>>
>>>>> [image: image.png]
>>>>>
>>>>> But I log in to my client machine and type "ssh-add -l" command then I
>>>>> get below error
>>>>>
>>>>> [image: image.png]
>>>>>
>>>>>
>>>>> On Sun, Sep 30, 2018 at 5:11 AM Jonathan Lozada De La Matta <
>>>>> jloz...@redhat.com> wrote:
>>>>>
>>>>>> what exactly are you trying to acco

Re: [ansible-project] getting error when i set ssh-agent for root user

[Dan Linder]

The "ssh-agent" and "ssh-add" are usually run on a system as a specific 
user to add an SSH key to a temporary 'keychain' so any subsequent SSH 
commands can automatically (and without prompting) use a specific ssh key 
to connect to a second system.

When you run them in the Ansible "shell" module, it's running those on the 
remote system and once that module completes, the ssh keychain process 
("ssh-agent") is closed and it goes away.

As  Johnathan asked, what are you trying to get setup by running these 
steps?  It looks like you're trying to get it setup so you can SSH into the 
"ubuntu-target" system as root using the "id_rsa" key on "ubuntu" .  (But 
since your ansible-playbook command doesn't prompt for credentials, it 
appears you already have the shared ssh key setup, so I'm confused what 
larger problem you're trying to solve...)

On Sunday, September 30, 2018 at 5:52:41 AM UTC-5, pranay varankar wrote:
>
> Hi Jonathan,
>
> I use below task in my playbook,
>
> - name: Add and load private key to ssh-agent
>   shell: "eval `ssh-agent -s` && ssh-add ~/.ssh/id_rsa"
>
> When i run playbook no error found,
>
> [image: image.png]
>
> But I log in to my client machine and type "ssh-add -l" command then I get 
> below error
>
> [image: image.png]
>
>
> On Sun, Sep 30, 2018 at 5:11 AM Jonathan Lozada De La Matta <
> jloz...@redhat.com > wrote:
>
>> what exactly are you trying to accomplish?
>>
>> On Sat, Sep 29, 2018 at 6:03 PM pranay varankar > > wrote:
>>
>>> Hi Jonathan,
>>>
>>> But which module I use to run *eval `ssh-agent -s` or ssh-add 
>>> /root/bashrc.*
>>>
>>> *Shell/command/action/raw module to create task for above command*
>>>
>>>
>>> On Sun 30 Sep, 2018, 2:53 AM Jonathan Lozada De La Matta, <
>>> jloz...@redhat.com > wrote:
>>>
 try

 ssh-agent bash

 then 

 ssh-add



 On Sat, Sep 29, 2018 at 5:04 PM pranay varankar >>> > wrote:

> Hi  Jonathan,
>
> actually i m not getting error when i run playbook but after i will 
> login to client machine and check using "ssh-add -l"  command then i get 
> "Could 
> not open a connection to your authentication agent" error.
>
> Can you send me task code to perform this operation. 
>
> On Sun, Sep 30, 2018 at 1:03 AM Jonathan Lozada De La Matta <
> jloz...@redhat.com > wrote:
>
>> what error are you getting ?
>>
>> On Sat, Sep 29, 2018 at 7:05 AM pranay varankar > > wrote:
>>
>>> Hi,
>>>
>>> I need to add ssh-agent for root user. so I use below command 
>>> through ansible task but getting an error.
>>>
>>> *eval `ssh-agent -s` && ssh-add ~/.ssh/id_rsa"*
>>>
>>> please give me task to perform below command on my target machine.
>>>
>>> -- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "Ansible Project" group.
>>> To unsubscribe from this group and stop receiving emails from it, 
>>> send an email to ansible-proje...@googlegroups.com .
>>> To post to this group, send email to ansible...@googlegroups.com 
>>> .
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/ansible-project/fe7af62c-fb24-4d95-8acc-0078e45a955f%40googlegroups.com
>>>  
>>> 
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
>> -- 
>>
>> Jonathan lozada de la matta
>>
>> AUTOMATION PRACTICE
>>
>>
>>
>>  
>>
>
>>
>> -- 
>> You received this message because you are subscribed to the Google 
>> Groups "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, 
>> send an email to ansible-proje...@googlegroups.com .
>> To post to this group, send email to ansible...@googlegroups.com 
>> .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ansible-project/CAFYJA%2BLD%2B8KUCGC7FtudXbp%3DQ_yKt0rOjwNAC70_n3diOw8iGw%40mail.gmail.com
>>  
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
> -- 
> You received this message because you are subscribed to the Google 
> Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send 
> an email to ansible-proje...@googlegroups.com .
> To post to this group, send email to ansible...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ansible-project/CAKmxsS0fs%2Bn_dNoT3GA21kTo8NbJMNPDpv%2ByVKs_ms_KBn_Xnw%40mail.gmail.com
>  
> 

Re: [ansible-project] Re: Source control of playbooks - how do you edit, test and perform version control....

[Dan Linder]

 systems in the DMZ to only permit logins from the internal
management subnet.")

On Thu, Aug 2, 2018 at 6:43 AM Lee Drew  wrote:

> Hi Dan. I've just started using AWX today. Do you mind giving me a bit of
> background on how you have set yours up?
>
> We currently have no config mgmt for our server environment and for the
> project I'm on (+ any other project) we will use Ansible to manage the
> configuration changes. I've so far created a stack of playbooks, each
> within their own sub directory which includes a vars folder, scripts where
> necessary etc. I do however have a global inventory file that all plays
> reference outside of the playbook sub directory. Running the required plays
> via CLI has been fine for myself and I have all the playbook projects
> listed as subfolders within a gitlab repo called playbooks.
>
> Now that I want to use AWX so other people can manage the plays I'm
> doubting whether my playbook structure is ideal, plus the fact from what
> I've seen each playbook directory (app/service - e.g GIS, SQL) directory
> requires an inventory file so AWX can reference it.
>
> Do you have an inventory file in each playbook directory? All playbooks
> and inventory in single directory and no sub folders to separate the plays?
>
> Thanks in advance. Excuse typos... typed on mobile!
>
> On Thu, 26 Jul 2018, 3:00 PM Dan Linder,  wrote:
>
>> I'll jump in with with what we are doing.
>>
>> We have a Git server (GitHub on site, but it could be any sourcecode
>> repository, local or hosted), and each of us have a copy of the repository
>> in our test/dev environment.  Development on the files (playbooks, roles,
>> vars, hosts, etc) are modified/pulled/pushed/etc just like any other source
>> code.
>>
>> On my workstation I have my own hosts file that points to my small test
>> environment (a few VMs spun up in the lab) that I can point the playbooks
>> at.  When I get the playbooks working there, I push the code to the
>> repository.  Then someone else pulls down the changes to their workstation
>> and runs the playbooks against their test hosts.  (Or I can do the same
>> with their updates.)
>>
>> When we're good with what we've produced, someone from the ops team pulls
>> down the repo to their system which has access to the QA (pre-production)
>> environment, runs the playbook in check mode to validate, then runs the
>> playbook during the next change window.
>>
>> We also have Ansible Tower (RedHat supported version of AWX) which has
>> jobs/templates setup that automatically check-out the repository to a
>> temporary location on the Tower server, and run the playbook in that
>> repository against a set of hosts with a specific set of credentials.  This
>> way teams can setup their own host inventories on Tower, we can safely
>> store credentials for Ansible to use to login to these systems (developers
>> don't need the passwords in this case), and we have a job history log for
>> review.
>>
>> On Wednesday, July 25, 2018 at 3:34:06 PM UTC-5, java_cat33 wrote:
>>>
>>> Thanks for your insight Jon. When you use WSL - are you pulling from
>>> your source code repo from within the Ansible controller? You then just
>>> test and edit the code directly on the controller?
>>>
>>> What do you use for a code repo? Hosted Gitlab?
>>>
>>>
>>> On Thursday, July 26, 2018 at 1:17:11 AM UTC+12, J Hawkesworth wrote:
>>>>
>>>> I work in an windows environment too.
>>>>
>>>> Mostly I use Windows Subsystem for Linux (WSL) also known as Bash on
>>>> Windows.  This lets me pull from our source code repo, edit and check in
>>>> changes and run playbooks (ansible runs fine inside WSL), also you can use
>>>> ansible-vault to encrypt your secrets so they never land in your source
>>>> control.
>>>>
>>>> Sometimes I target VMs running in VirtualBox, other times I target vms
>>>> in our dev environment.
>>>>
>>>> If you like vagrant you can run vagrant inside WSL and target
>>>> virtualbox running on the windows 10 host after setting a couple of
>>>> environment variables - see
>>>> https://www.vagrantup.com/docs/other/wsl.html
>>>>
>>>> Mostly we just pull and update source code and then push changes.  This
>>>> has worked fine for us.  When switching to a new version of ansible,
>>>> typically I branch, make changes and test them before letting others test
>>>> and use the new version of ansible.
>>>>
>>

[ansible-project] How to setup variable files to contain multiple versions of vaulted variables

[Dan Linder]

I'm running Ansible 2.6.2 and trying to wrap my head around the --vault-id 
and multiple vault passwords 

.

As I understand it, the usefulness it is bringing is that different users 
can have their playbook decrypt their teams version of the variable and we 
don't have to create different vaulted files for each environment.  I'm 
having trouble determining how to setup the variable file properly.

To test this, I setup a simple test like this:

# Setup a simple playbook to pull in the variable file then show the 
encrypted data:
# The "validate_dev.yml" playbook:
---
- hosts: localhost
  become: yes
  gather_facts: no

  tasks:
  - name: "Read in the password file."
include_vars:
  file: "the_secrets.yml"

  - name: "The value of the_password variable."
debug:
  msg: "The value of the_password is {{the_password}}."


# 1 - Setup the development and production encryption/decryption keys.
echo -n DevDecryptKey > dev_decrypt_key.txt
echo -n ProdDecryptKey > prod_decrypt_key.txt

# 2 - Build the vaulted "the_secrets.yml" file for dev and prod
echo -n "DevPassW0rd!" | ansible-vault encrypt_string --vault-id 
dev@dev_decrypt_key.txt --stdin-name "the_password" | tee -a the_secrets.yml
echo -n "ProdPWD!" | ansible-vault encrypt_string --vault-id 
prod@prod_decrypt_key.txt --stdin-name "the_password" | tee -a 
the_secrets.yml

# 3 - Show the the_secrets.yml file:
# Note that it contains the "the_password" variable twice, the first with 
the "dev" vault ID, the second with the "prod" vault ID.
the_password: !vault |
  $ANSIBLE_VAULT;1.2;AES256;dev
  
3835626439323236303337313065353533643537623737663932653864333466333231393830
  
3530626365303535396237643932373437323438643235660a373235336330663762323134393436
  
626431343164383261353666376238316664366133343464636435373564613432373564
  
3664393736333062650a66653133646339316237633538643839366430326563393763393538
  6631
the_password: !vault |
  $ANSIBLE_VAULT;1.2;AES256;prod
  
64326635306363636338353930313564353639326166326531613362383730633539343164376432
  
6462393037353831626361633536356135363235623039350a626561313137396330653738303665
  
6435396336353865303963373933626664653433386130643538656266646537616361643437
  
3534373736323331640a323934316138323737636363303663353932383965386664353630383132
  
31656565313030633161306531363135623536383733663133353032393532313736


# 4 - Try to execute for the devn then prod keys
ansible-playbook -l localhost -e ansible_connection=local --vault-id 
./prod_decrypt_key.txt  ./validate_dev.yml
*THIS WORKS *- presumably because "the_password" variable was defined twice 
and the second one (prod) overwrote it.

ansible-playbook -l localhost -e ansible_connection=local --vault-id 
./dev_decrypt_key.txt  ./validate_dev.yml
*THIS FAILS *- presumably because "the_password" variable was defined twice 
and the second one (prod) overwrote it.

I assume the file containing the vaulted password ("the_secrets.yml") needs 
to be setup differently, but I can't find where that format/usage is 
documented.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/ea9af1b1-b871-4986-8b22-e0c4fa3c9a63%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-project] trying to reset root password by using .yml playbook, but its failed with permission denied error, however same .yml playbook is working via terminal.

[Dan Linder]

To save the call to the external Python command to encrypt the password, 
you can use the Jinja2 "password_hash" documented here:


https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#hashing-filters

So your example could look like this:

- name: changing root password
user:
name: "root"
password: "{{ root_password | password_hash('sha512') }}"

Where "root_password" is a variable set earlier (hopefully stored as an 
Ansible vaulted variable).

The only drawback here is that the hashed password will be the same on all 
systems.  Use a "salted hash" [Note 1] so they are not easily noticeable as 
identical to the casual observer:

password: "{{ root_password | password_hash('sha512', 
65534|random(seed=inventory_hostname)|string) }}"

This will use the hostname as a consistent seed to the random function, 
then generate a number from 0..65534, finally turning that into a string 
for the password_hash funciton to use.

Note 1: What is a "salted hash" in computers?  
https://www.skyhighnetworks.com/cloud-security-blog/what-is-a-salt-and-how-does-it-make-password-hashing-more-secure/

On Tuesday, July 31, 2018 at 3:32:21 AM UTC-5, Jobin A T. A T. wrote:

> hi 
> check this one
>   - name: changing root password
> user:
>   name: "root"   ## Should not have "-"
>   password: 
> "$6$rounds=656000$XCYDmKM2Wh6LkAkf$2t/9L0OP4yJgy3wukrahPAM1qZG.SFNoe3eR53EqTq1t6.X.9YL78PJ2uje6dAp1Xxt8UqDe.kqj2/9F7bsvM/"
>
>
> i generated the the password hash using the python code 
>
> python -c "from passlib.hash import sha512_crypt; import getpass; print 
> sha512_crypt.encrypt(getpass.getpass())"
>
>
> On Wed, Jul 25, 2018 at 12:52 AM Deepan M  > wrote:
>
>> Thanks Kai for your suggestion, its working perfect. in Jenkins I dont 
>> find the way to change directory, however default file is picking it up.
>>
>> Thanks all for giving your supports.
>>
>>
>>  ansible --version
>> [WARNING]: log file at /var/log/ansible.log is not writeable and we 
>> cannot create it, aborting
>>
>> ansible 2.4.2.0
>>   *config file = /etc/ansible/ansible.cfg*
>>   configured module search path = 
>> [u'/home/q5c9nf32/.ansible/plugins/modules', 
>> u'/usr/share/ansible/plugins/modules']
>>   ansible python module location = 
>> /usr/lib/python2.7/site-packages/ansible
>>   executable location = /usr/bin/ansible
>>   python version = 2.7.5 (default, Feb 20 2018, 09:19:12) [GCC 4.8.5 
>> 20150623 (Red Hat 4.8.5-28)]
>>
>>
>> Started by user deepan
>> Building in workspace 
>> /opt/hcl/support/unix/l5c9nf32/.jenkins/workspace/root_reset_pass
>> [root_reset_pass] $ /usr/bin/ansible-playbook 
>> /Ansible_project/change-root-password1.yml -i /Ansible_project/inventory -f 
>> 100 -e  -e ansible_user=q5c9nf32
>> [WARNING]: log file at /var/log/ansible.log is not writeable and we cannot 
>> create it, aborting
>>
>> /usr/lib64/python2.7/getpass.py:83: GetPassWarning: Can not control echo on 
>> the terminal.
>>   passwd = fallback_getpass(prompt, stream)
>> Warning: Password input may be echoed.
>> SUDO password: 
>> PLAY [xerox] 
>> ***
>>
>> TASK [Gathering Facts] 
>> *
>> ok: [usa7061lv1771]
>>
>> TASK [Change root password] 
>> 
>> changed: [usa7061lv1771]
>>
>> PLAY RECAP 
>> *
>> usa7061lv1771  : ok=2changed=1unreachable=0failed=0  
>>  
>>
>> Finished: SUCCESS
>>
>>
>>
>> Regards,
>> Deepan M
>>
>> On Monday, July 23, 2018 at 2:03:40 PM UTC+5:30, Kai Stian Olstad wrote:
>>>
>>> On 22.07.2018 12:22, Deepan M wrote: 
>>> > Hi, 
>>> > 
>>> > 
>>> >   Please find below - output and let to know how to fix this 
>>> issue. 
>>>
>>> You should have just posted plain text with long line breaking to off. 
>>> This is very difficult to write answer on. 
>>>
>>>
>>> > Building in workspace 
>>> > 
>>> /opt/hcl/support/unix/l5c9nf32/.jenkins/workspace/root_reset_pass[root_rese=
>>>  
>>>
>>> > t_pass] 
>>> > $ /usr/bin/ansible-playbook /Ansible_project/change-root-password1.yml 
>>> > -i /Ansible_project/inventory -f 100 -e  -e 
>>> > ansible_user=3Dq5c9nf32 -ansible-playbook 2.4.2.0  config file =3D 
>>> > /etc/ansible/ansible.cfg  configured module search path =3D 
>>>
>>> ansible-playbook is picking up /etc/ansible/ansible.cfg and I guess that 
>>> the ansible.cfg you have edited is in /Ansible_project 
>>>
>>> If this assumption is right you need to change the current woring 
>>> directory i Jenkins to be /Ansible_project since ansible-playbook picks 
>>> up ansible.cfg in cwd. 
>>>
>>> -- 
>>> Kai Stian Olstad 
>>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to 

Re: [ansible-project] Re: Multiple conditions not working

[Dan Linder]

I've run into subtle and hard-to-spot logic bugs (Ansible and elsewhere)
that were 'correct' but magically solved when rewritten.  I agree that your
syntax looks spot on, but breaking it out into multiple statements might
make it easier to troubleshoot later on too.

Glad it worked!

On Sun, May 27, 2018 at 12:24 PM, Pranay Nanda 
wrote:

> You're a hero! Splitting does the job. I still wonder why previous logic
> did not work.
>
> On Sunday, 27 May 2018 21:21:15 UTC+5:30, Pranay Nanda wrote:
>>
>> I want to run few tasks in shell if they satisfy a condition. Strangely
>> the task runs if the second condition is satisfied even though the first
>> one fails.
>>
>>   name: ods
>>   shell: "/something {{state}}"
>>   when: ((ods) and (not (ansible_hostname | search("demlh*"
>>   register: sss_ods_out
>>   notify: output ods
>>   ignore_errors: yes
>>
>> Here sss_ods is a variable defined in a vars file. If I remove the latter
>> condition the task would run but I want both the conditions to be satisfied
>> for the task to run and I can't understand where am I going wrong.
>>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Ansible Project" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/ansible-project/s3I_l8M-7SU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ansible-project+unsubscr...@googlegroups.com.
> To post to this group, send email to ansible-project@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/ansible-project/801d7920-39c0-40a1-a173-2c4cabf7db34%40googlegroups.
> com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>



-- 
* * *** *** * *** **
"If you wish to make an apple pie from scratch,
  you must first invent the universe."
  -- Carl Sagan

"Quis custodiet ipsos custodes?"
(Who can watch the watchmen?)
-- from the Satires of Juvenal

"I do not fear computers, I fear the lack of them."
-- Isaac Asimov (Author)
** *** * *** *** * *

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAGYusaOjFsWTbkniu7HmeMu%3DQ0VwfH7Ws-BCzPfNy1M%3DTdf5%2Bw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Multiple conditions not working

[Dan Linder]

I just noticed, if you break the when into two clauses, instead of doing 
"not (...)" you can do this:

 - name: ods
   shell: "/something {{state}}"
   when:

- ods

- ansible_hostname is not search("demlh*")
   register: sss_ods_out
   notify: output ods
   ignore_errors: yes


On Sunday, May 27, 2018 at 12:00:17 PM UTC-5, Dan Linder wrote:
>
> The "when" stanza performs a AND when there are multiple when conditions (
> http://docs.ansible.com/ansible/latest/user_guide/playbooks_conditionals.html#the-when-statement
> ).
>
> Whenever I encounter a problem with 'when' I try to break it up to 
> multiple lines so the numerous parenthesis aren't causing confusion:
>
>  - name: ods
>shell: "/something {{state}}"
>when:
>
> - ods
>
> - not (ansible_hostname | search("demlh*"))
>register: sss_ods_out
>notify: output ods
>ignore_errors: yes
>
> With that you might be able to deduce why the "AND" clause isn't working 
> as expected.
>
> It might also be that the "ansible_hostname | search(...)" might need to 
> change to "ansible_hostname is search(...)" (change | to is).
>
> If not, can you provide what "ods" contains?  A simple "debug:" before 
> that call should suffice.
>
> On Sunday, May 27, 2018 at 10:51:15 AM UTC-5, Pranay Nanda wrote:
>>
>> I want to run few tasks in shell if they satisfy a condition. Strangely 
>> the task runs if the second condition is satisfied even though the first 
>> one fails.
>>
>>   name: ods
>>   shell: "/something {{state}}"
>>   when: ((ods) and (not (ansible_hostname | search("demlh*"
>>   register: sss_ods_out
>>   notify: output ods
>>   ignore_errors: yes
>>
>> Here sss_ods is a variable defined in a vars file. If I remove the latter 
>> condition the task would run but I want both the conditions to be satisfied 
>> for the task to run and I can't understand where am I going wrong.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/9356ba57-3386-47f9-94ed-dda78aa446c4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Multiple conditions not working

[Dan Linder]

The "when" stanza performs a AND when there are multiple when conditions 
(http://docs.ansible.com/ansible/latest/user_guide/playbooks_conditionals.html#the-when-statement).

Whenever I encounter a problem with 'when' I try to break it up to multiple 
lines so the numerous parenthesis aren't causing confusion:

 - name: ods
   shell: "/something {{state}}"
   when:

- ods

- not (ansible_hostname | search("demlh*"))
   register: sss_ods_out
   notify: output ods
   ignore_errors: yes

With that you might be able to deduce why the "AND" clause isn't working as 
expected.

It might also be that the "ansible_hostname | search(...)" might need to 
change to "ansible_hostname is search(...)" (change | to is).

If not, can you provide what "ods" contains?  A simple "debug:" before that 
call should suffice.

On Sunday, May 27, 2018 at 10:51:15 AM UTC-5, Pranay Nanda wrote:
>
> I want to run few tasks in shell if they satisfy a condition. Strangely 
> the task runs if the second condition is satisfied even though the first 
> one fails.
>
>   name: ods
>   shell: "/something {{state}}"
>   when: ((ods) and (not (ansible_hostname | search("demlh*"
>   register: sss_ods_out
>   notify: output ods
>   ignore_errors: yes
>
> Here sss_ods is a variable defined in a vars file. If I remove the latter 
> condition the task would run but I want both the conditions to be satisfied 
> for the task to run and I can't understand where am I going wrong.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/aec59128-f3fe-44b6-b26d-f03f782e571f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Vault and "dictionaries" - bug or feature request?

[Dan Linder]

I've added an issue to the Ansible github project for this:
https://github.com/ansible/ansible/issues/31705

For what it's worth, if I convert the variable to a dictionary (instead of 
a list) and pass that through the list Jinja2 filter it works as a list:

---
- hosts: localhost
  gather_facts: false


# Run like this:
#   ./test01.yml --ask-vault-pass
#   (Enter "test" for the password)


  vars:
userlist:
  user1:
password: "user1pwd"
  user2:
password: !vault |
$ANSIBLE_VAULT;1.1;AES256

62613930343865373434316635616466383633396539303135666565363539396662386636303763

32373936643063306336386336623932376432350a396337393861363463613734306339

34393165343861363534656533383834353233323464626461393031623265373537353732356337

3634353837343363370a36653161333462333261376633636662323131356366653566646239
3830
  user3:
password: "user3pwd"


  tasks:
  - name: "Dict variable"
debug:
  msg: "name: {{item.key}}, password: {{item.value.password}}"
with_dict: "{{ userlist }}"


  - name: "List variable"
debug:
  msg: "name: {{item}}, password: {{item.password}}"
with_items: "{{ userlist.values() | list }}"


On Wednesday, October 11, 2017 at 9:24:57 PM UTC-5, Dan Linder wrote:

> I've have a dictionary variable setup that has accounts and passwords:
>
> password_list:
>   - { name: "user1",
>   password: "user1pwd"
> }
>   - { name: "user2",
>   password: "user2pwd"
> }
>   - { name: "user3",
>   password: "user3pwd"
> }
>
>
>
> This variable it works as expected.  When I update one of the passwords to 
> a vaulted version like this:
>
> password_list:
>   - { name: "user1",
>   password: "user1pwd"
> }
>   - { name: "user2",
>   password: !vault |
> $ANSIBLE_VAULT;1.1;AES256
> 
> 6636626533326432626431646631356664663262326535346265353939383239626634636331
> 
> 6462666364303539336132346430346432333564346663300a6261366630626330643735
> 
> 6461366438373839313434303433663164363030383663336663656432613965663862656237
> 
> 363134646332610a636230616334306232336263313139623264663338613538643163356239
> 3732
> }
>   - { name: "user3",
>   password: "user3pwd"
> }
>
>
>
>
> ...the ansible-playbook complains about it with this message:
>
> The offending line appears to be:
>
>   - { name: "user2",
>   password: !vault |
>^ here
>
> exception type: 
> exception: while scanning for the next token
> found character that cannot start any token
>   in "", line 30, column 28
>
>
>
> I've tried variations such as removing the "|" and putting everything from 
> "!vault" through "3732" on the same line (removing spaces), using a "<" 
> instead of the "|", etc.
>
> Am I doing it wrong?  Is this a bug in the vault string handling that I 
> should report?  Or is this a "not yet implemented" variation on vault data 
> that I should put in for a feature request?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/2c6e74a2-a3a0-4631-b6e0-66a56235adcb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Vault and "dictionaries" - bug or feature request?

[Dan Linder]

I've have a dictionary variable setup that has accounts and passwords:

password_list:
  - { name: "user1",
  password: "user1pwd"
}
  - { name: "user2",
  password: "user2pwd"
}
  - { name: "user3",
  password: "user3pwd"
}



This variable it works as expected.  When I update one of the passwords to 
a vaulted version like this:

password_list:
  - { name: "user1",
  password: "user1pwd"
}
  - { name: "user2",
  password: !vault |
$ANSIBLE_VAULT;1.1;AES256

6636626533326432626431646631356664663262326535346265353939383239626634636331

6462666364303539336132346430346432333564346663300a6261366630626330643735

6461366438373839313434303433663164363030383663336663656432613965663862656237

363134646332610a636230616334306232336263313139623264663338613538643163356239
3732
}
  - { name: "user3",
  password: "user3pwd"
}




...the ansible-playbook complains about it with this message:

The offending line appears to be:

  - { name: "user2",
  password: !vault |
   ^ here

exception type: 
exception: while scanning for the next token
found character that cannot start any token
  in "", line 30, column 28



I've tried variations such as removing the "|" and putting everything from 
"!vault" through "3732" on the same line (removing spaces), using a "<" 
instead of the "|", etc.

Am I doing it wrong?  Is this a bug in the vault string handling that I 
should report?  Or is this a "not yet implemented" variation on vault data 
that I should put in for a feature request?

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/3b58f380-401e-40dd-b854-cbaa958d5ee9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-project] Ansible "file" module and attributes in 2.3.1.0

[Dan Linder]

Thanks Kai, hadn't thought about using the attr_flags field - I'll give it
a shot when I get back to that issue.

Dan

On Sat, Jul 22, 2017 at 9:34 AM, Kai Stian Olstad <
ansible-project+l...@olstad.com> wrote:

> On 21.07.2017 17:34, Dan Linder wrote:
>
>> I setup a playbook with this play:
>>
>> - name: "Remove immutable flag"
>>   file:
>> path: /etc/security/access.conf
>> attributes: "-i"
>>
>> The documentation isn't clear on what "attributes" can be but the file
>> module call chattr with the "=" precursor before the attributes.  For my
>> case, I can just send "e" as the attribute (which effectively removes "i",
>> the only attribute on this file usually), but it doesn't make it easy to
>> enforce a single change without knowing and setting all attributes.
>>  (Admittedly that would be more idempotent.)
>>
>
> It only require an additional task to only remove the attribute without
> touching the other ones.
>
>   - stat:
>   path: /etc/security/access.conf
> register: result
>
>   - file:
>   path: /etc/security/access.conf
>   attr: '{{ result.stat.attr_flags | regex_replace('i', '') }}
>
>
> Can someone update the the documentation, to add this note on the usage?
>>
>> Or, can the command line fed to chattr be updated to remove the "=" before
>> the attributes when a +/- is present in the attributes line?  That makes
>> it
>> easy to use "-i" to remove immutable, or "+i" to add immutable flag,
>> though
>> I haven't thought through the ramifications and idempotent features...
>>
>
> You can always make a feature request on Github
> https://github.com/ansible/ansible/issues
>
> --
> Kai Stian Olstad
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Ansible Project" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/to
> pic/ansible-project/fxAuuqq55AE/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ansible-project+unsubscr...@googlegroups.com.
> To post to this group, send email to ansible-project@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/ms
> gid/ansible-project/7ba61192d6bb5712f80354d9e6949825%40olstad.com.
>
> For more options, visit https://groups.google.com/d/optout.
>



-- 
* * *** *** * *** **
"If you wish to make an apple pie from scratch,
  you must first invent the universe."
  -- Carl Sagan

"Quis custodiet ipsos custodes?"
(Who can watch the watchmen?)
-- from the Satires of Juvenal

"I do not fear computers, I fear the lack of them."
-- Isaac Asimov (Author)
** *** * *** *** * *

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAGYusaMGJ3q58-%3DZEuAO04_74S569JjNX-DraD3S97GNYi5CwA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Ansible "file" module and attributes in 2.3.1.0

[Dan Linder]

I've got a set of systems that have a configuration file with the 
"immutable" flag set on them by a previous setup process.  The "lsattr 
/etc/security/access.conf" on a RHEL 6 system shows the "i" flag set. 
 Manually doing a "chattr -i /etc/security/access.conf" removes the flag, 
but I'd like to have Ansible remove this flag if found on a few of these 
files.

I setup a playbook with this play:

- name: "Remove immutable flag"
  file:
path: /etc/security/access.conf
attributes: "-i"

The documentation isn't clear on what "attributes" can be but the file 
module call chattr with the "=" precursor before the attributes.  For my 
case, I can just send "e" as the attribute (which effectively removes "i", 
the only attribute on this file usually), but it doesn't make it easy to 
enforce a single change without knowing and setting all attributes. 
 (Admittedly that would be more idempotent.)

Can someone update the the documentation, to add this note on the usage?

Or, can the command line fed to chattr be updated to remove the "=" before 
the attributes when a +/- is present in the attributes line?  That makes it 
easy to use "-i" to remove immutable, or "+i" to add immutable flag, though 
I haven't thought through the ramifications and idempotent features...

Thanks,
Dan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/c19b9490-ee85-4ce0-828e-6cdebc6d9b0c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-project] Using include_vars and with_items with optiona files == bug?

[Dan Linder]

I'm falling back to the six tasks for now (three stat file, three include 
when exists).

In my mind this is a bug; the "ignore_errors" setting should let it keep 
the partial result.  The parallel being that the file module could 
partially succeed in setting a file owner but SELinux or other methods 
could deny the setting of the file group.

But I'll agree to disagree with you on that point. :-)

I could see the addition of the "hash_behavior" as an argument to 
"include_vars" and let it have the option of "keep_partial" as an extension 
of merge (replace, merge, merge_partial).

On Monday, July 10, 2017 at 3:39:29 PM UTC-5, Brian Coca wrote:
>
> The merge setting will affect the result of the task, but not the 
> internal iterator of the task. 
>
> You might want to make this 3 tasks or use vars_files. 
>
>
> -- 
> -- 
> Brian Coca 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/f586a8e2-1cab-48eb-a3ac-4f919b315979%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-project] Using include_vars and with_items with optiona files == bug?

[Dan Linder]

I forgot to add that I've defined the hash_behaviour to "merge" just for 
this express purpose of keeping and stacking/appending variables so the 
normal behavior is suppose to be modified here.

On Monday, July 10, 2017 at 2:59:22 PM UTC-5, Brian Coca wrote:
>
> Well, when you include_vars you are normally overwriting existing 
> vars, this will happen in a with_ loop or outside of it, that is 
> normal behaviour. 
>
> As for the error wiping out myvars ... the task failed, so none of the 
> work was done. The previously accumulated data in the 2 files that did 
> work is lost as the task ends up not importing any vars as it failed 
> as a whole, even if parts of it succeeded. 
>
> -- 
> Brian Coca 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/6e5f8d79-8c28-464d-b4b0-4850a8ddf711%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Using include_vars and with_items with optiona files == bug?

[Dan Linder]

I'm trying to setup a hierarchical set of variable files so that different 
teams can setup value, permitting more specific instances to override 
generic ones.  The key is that the more specific instances may not be 
defined in all cases.  I thought I solved it with a combination of 
"include_vars" and "with_items" and using "ignore_errors" to skip a missing 
file.

But, when any of the include files are missing the entire set of included 
values are lost.  It appears that any ignored failure in the include_vars 
deletes the entire data structure when it continues on.

Here's a sample playbook and variable files.  (For what it's worth this is 
Ansible 2.2.0.0 on RHEL 6)
*teststackvars.yml*

#!/usr/bin/env ansible-playbook
# Run like this:
# ANSIBLE_HASH_BEHAVIOUR=merge ./teststackvars.yml -i localhost, -l 
localhost --check
# or set hash behavior in ansible.cfg and run without variable.
---
- hosts: all
  gather_facts: False

  tasks:
  - name: Include the variables in precedence
include_vars:
  file: "{{ item }}"
  name: myvars
with_items:
  - info_a.yml
  - info_b.yml
  - info_{{ inventory_hostname }}.yml
ignore_errors: True

  - debug:
  msg: "{{ myvars }}"


And these three vars files:

*vars/info_a.yml*

---
var_from_info_a: from info_a.yml
some_var: value from info_a

 

*vars/info_b.yml*

---
var_from_info_b: from info_b.yml
some_var: value from info_b


*vars/info_localhost.yml*

---
var_from_info_localhost: from info_localhost.yml
some_var: value from info_localhost


When I run it with all files defined it works just fine:

*$ ./teststackvars.yml -i localhost, -l localhost --check*

*PLAY [all] 
**

*TASK [Include the variables in precedence] 
**
*ok: [localhost] => (item=info_a.yml)*
*ok: [localhost] => (item=info_b.yml)*
*ok: [localhost] => (item=info_localhost.yml)*

*TASK [debug] 

*ok: [localhost] => {*
*"msg": {*
*"some_var": "value from info_localhost",*
*"var_from_info_a": "from info_a.yml",*
*"var_from_info_b": "from info_b.yml",*
*"var_from_info_localhost": "from info_localhost.yml"*
*}*
*}*

*PLAY RECAP 
**
*localhost  : ok=2changed=0unreachable=0   
 failed=0*


That looks good - all the unique variables from info_a/b/localhost are 
defined, and the common "some_var" is overwritten by the last file.

When I rename one of the YML files, the entire "myvars" variable structure 
goes away:

*$ mv vars/info_localhost.yml vars/info_localhost.yml.disabled*
*$ ./teststackvars.yml -i localhost, -l localhost --check*

*PLAY [all] 
**

*TASK [Include the variables in precedence] 
**
*ok: [localhost] => (item=info_a.yml)*
*ok: [localhost] => (item=info_b.yml)*
*fatal: [localhost]: FAILED! => {"failed": true, "msg": "Unable to find 
'info_localhost.yml' in expected paths."}*
*...ignoring*

*TASK [debug] 

*fatal: [localhost]: FAILED! => {"failed": true, "msg": "the field 'args' 
has an invalid value, which appears to include a variable that is 
undefined. The error was: 'myvars' is undefined\n\nThe error appears to 
have been in '/home/dan/teststackvars/teststackvars.yml': line 20, column 
5, but may\nbe elsewhere in the file depending on the exact syntax 
problem.\n\nThe offending line appears to be:\n\n\n  - debug:\n^ 
here\n"}*
*to retry, use: --limit 
@/home/dan/teststackvars/teststackvars.retry*

*PLAY RECAP 
**
*localhost  : ok=1changed=0unreachable=0   
 failed=1*

*$*


I searched the group and Google in general for "with_items" and 
"include_vars" but didn't see anything that seems to pertain to this. 
 Shouldn't this work - at least let the variables that were in the "myvars" 
stay in-spite of the missing variable file?

Thanks,
Dan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/5993f7b5-764c-4276-81e2-e11eb27d57e1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Roles, vars, defaults, and pre_tasks.

[Dan Linder]

I'm trying to split up a large playbook into roles and it's going pretty 
well except I'm having trouble with variables not being pulled in from the 
roles vars or defaults files.

My playbook has this test playbook with a pre_task:

---
- hosts: all

#  vars:
#doreboots: true
#zadmin_password: Today123zadmin
#root_password: Today123

  pre_tasks:
- debug:
msg: "Playbook WILL REBOOT when requested."
  when: doreboots

  roles:
- setup_ansible_data


I've moved the "vars:" section (commented out above) to the main.yml files 
in both the "vars" and "defaults" directories like this:

---
  doreboots: true


When the playbook is run, I get this error:

TASK [debug] 
***
fatal: [system.example.com]: FAILED! => {"failed": true, "msg": "The 
conditional check 'doreboots' failed. The error was: error while evaluating 
conditional (doreboots): 'doreboots' is undefined\n\nThe error appears to 
have been in '/etc/ansible/roles/sysprep/test.yml': line 10, column 7, but 
may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe 
offending line appears to be:\n\n  pre_tasks:\n- debug:\n  ^ 
here\n"}


Or more human readable:

The conditional check 'doreboots' failed. The error was: error while 
evaluating conditional (doreboots): 'doreboots' is undefined

The error appears to have been in '/etc/ansible/roles/sysprep/test.yml': 
line 10, column 7, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

  pre_tasks:
- debug:
  ^ here


Thoughts?

Thanks!
Dan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/e8392e82-92ad-42ee-8ff6-2d4156da8e8e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.