gabbottIs there a way to pause between hosts running a task?
lambais it expected that a when: blah is defined would trigger against a variable that's only registered inside a task that was skipped ?
flowerysongSkipped tasks still register variables, so that you can later test to see if the task was skipped.
lambaoh. i'll try when: blah|success then i guess
lamba? wat, that still triggers it ?
agaffneylamba: 'when: not blah|skipped' is more explicit
raubHow can I conditionally include a handler? It seems I cannot do it from handlers/main.yml
rocketdoes anyone have advice for dynamic inventories for ec2 using multiple roles? is it possible to do with ansible? what are others doing?
morgajelok, since I didn't get much of a bite earlier- I'm getting ready to do a presentation at work on writing ansible roles. Could some of you give my slides a once-over and provide some feedback?
Jmainguymorgajel: I disagree with slide 4
Jmainguydont see value in generic, or using others roles
JmainguyI dont trust other people , and neither should you
Jmainguyslide 9, I count 1137 modules
Jmainguyslide 17, I would mention ansible can be run in --check mode
Jmainguyrest of slides look great to me, nice work
morgajelJmainguy: thank you for the feedback, let me see what I can integrate
morgajelfor slide 4, it makes it easier to ask for help if they don't hardcode values that shouldn't belong in pastebin :)
temmi_hoois it possible for hosts to belong into multiple groups? how does that appear in inventory?
temmi_hooi've got some tens of sites with similar host structure and i'd like to apply set theory intersections orthogonally
moritztemmi_hoo: yes, that works
moritz[a]\n host1 \n host2 \n [b] host1
moritzthis puts host1 into groups a and b
moritzand host2 only in a
temmi_hooi'd not really want to list all hosts as i have a b-class network to fill with these... :D
temmi_hooa site has 172.16.X.Y/24 where X is also used for routing 192.168.132.X and the Y in a site is templated so that .1 is always router .2 does this and .3 does that and so on
moritztemmi_hoo: maybe you want a dynamic inventory?
moritzyou can write a script that creates a json file
moritzif your stuff is very structured, that shouldn't be too hard
temmi_hooit is highly structured, yes, with very few exceptions i'm willing to enlist as individual exceptions
temmi_hooany pointers on what kind of json i'm supposed to output from the script?
moritzmake sure to include the "_meta": { "hostvars": ... }} in the --list output
moritzotherwise ansible will call your dynamic inventory script for each host, which could get slow if you have many
temmi_hoopotentially up to 2^16 but in reality more like 4*17
temmi_hooalthough just being able to refer to the number in hostname[90:99] pattern would already be plenty
ninstaahHi all, I am not sure how I should go about declaring variables for different hosts. I want to declare a variable like nginx_vhosts containing the different vhosts within that variable. What would you suggest?
moritzninstaah: use a host variable
ninstaahmoritz: like this ?
temmi_hooi was having an idea if i just could do something like this:
temmi_hoodunno if inventory can work like that
bogdandocould someone please comment on that os_stack & clouds.yaml issues I have!searchin/ansible-devel/clouds.yaml%7Csort:relevance/ansible-devel/VpRUFygnc_8/97ScUvRkAwAJ ?
temmi_hooi'd really like to keep it readable to nonprogrammers
temmi_hoois there a way to just gather facts and print them to stdout/stderr without actually running anything?
moritzansible hosts -m setup # or something like
temmi_hoowhat about just the locally defined facts, including those set by playbooks?
temmi_hoo... these hosts don't exist until I create them and I'm not wanting to do that until I have the variable patterns properly set
BloqueNegrotemmi_hoo: then probably stick to debug steps
BloqueNegroafaik there is the --check parameter, this tends to fail in various situations
teisslercan somebody please help me with a condition which doesn't work anymore since ansible 2.3?
teissleras the nmcli module doesn't handle bridges very well or not at all i created those with command and nmcli directly, but since upgrade to ansible 2.3 my conditions always fail with the message that variables could not be accessed because they are undefined
sxpertstart by not using network-mis-manager ;)
teissler:-/ that's a requirement or wish of my customer, so i have no choice
sxpertthere could be any number of bugs not related to ansible in there
teissleri'm pretty sure the bug is within my when clause
sxpertstart by using the debug module to check out if your variables actually contain something
teissler- name: Configure bridge slave(s) command: nmcli c a type bridge-slave con-name {{ item.conn_name }} ifname {{ item.ifname }} master {{ item.master }} with_items: "{{ nmcli_bridge_slave }}" when: item.ifname not in hostvars[inventory_hostname]['ansible_' ~ item.master | replace('-', '_')][interfaces] tags: network
teisslergrml... that was nothing.. impossible to read
sxpertand use pastebin for long things
sxpertthanks ;-)
teissleri think the issue is within the replacement of the item.master
sxpert- debug: "var=item"
sxpertto the tasks
sxpertteissler: hmm, I'd try adding () in the expression
sxpertfor starters
teisslersxpert: for what to i need the braces? it's just one condition
teisslersorry do not to
sxperttry: 'ansible_' ~ (item.master | replace('-', '_'))
teissleri already tried that with ~ instead of +, but the same errors
teisslerah i see. sorry
teissleri'm trying
ninstaahHi, I am having toubles (simple ones I think..) in regard to using templates properly - I get this error and has been stuck here for a while:
temmi_hoois there a dry-run option for ansible-playbook?
teisslertemmi_hoo: yes -C
temmi_hoothx, will try
temmi_hooso how could I have a printout of all the facts gathered by the playbooks?
sxperttemmi_hoo: it is in the debug doc:
petn-randalltemmi_hoo: ansible -m setup is a way to do that.
sxpert- debug: "var=hostvars[inventory_hostname]"
temmi_hooit's not showing me variables i've set up in inventory
sxperttry "var=hostvars" then
sxpert(beware. it will be *long*)
temmi_hooit's long allright, piping to less helps a lot
temmi_hoogrepping helps more
temmi_hoofrom the inventory: elli90 point_lan_ip= point_vpn_ip=
temmi_hoo% ansible -i provisioning/inventory -m setup all | grep point_
temmi_hooresults in nil
teisslersxpert: thank you, i fixed it. The problem was the missing ' in the when clause for the interfaces
temmi_hoowhat am i doing wrong?
dxlr8rcan I "export" a fact set from a subset of an inventory (foo[0]) to the rest of the inventory?
czakeyis it possible to change "level of parallelism" for just one task or play?
hyperizeddxlr8r: hostvars[groups['rundeck-masters'][0]]['ansible_ec2_instance_id']
hyperizedsomething like that
hyperizedczakey: yes: serial: 1
czakeyhyperized: thanks!
hyperizedtemmi_hoo: not sure what you mean
dxlr8rhyperized: testing
JEEBwas it possible to enable/disable pipelining on an inventory based level as opposed to config file level?
temmi_hoohyperized: i'd like to see what host variables hosts have from inventory and playbooks
temmi_hooansible -i inventory -m setup all # will print out lots of facts but none of them are from inventory
Jeeves_Q: How can I install ntp|chrony via the apt: manager?
Jeeves_So, either one is ok?
asydhmm I'm using a galaxy role which defined default variables in defaults/main.yml, I used it in playbook, where the vars: section override variables, however the variables still using the default, it's not supposed to happens, right?
Indrekhi. Is it possible to get an another dict element where index is dict item ? example dict2[item.value] ?
ericzolfHi, trying to use the foreman callback plug-in to push facts from Ansible to Foreman but it fails silently (no facts / no connection towards Foreman but no error message either).
ericzolfLooked in the doc but couldn't find anything: are there a few recommended ways to debug callback plug-ins?
ericzolf-vvv doesn't seem to be the answer.
WhiteWolf`hello, I have a little problem
WhiteWolf`how to escape this?
igor_workHi there. Let's assume I have to check if file is presented and do something if so. In that case I can use registered_variable like
igor_workIt's easy. But what can I do in case of several files?
igor_workI can create a dictionary like
igor_workBut I have no idea how to use it
oh4using git module, what is a good way to only clone specific files instead of an entire branch? maybe I should clone to a tmp location and then move the files to where I want?
Gonzihoh4: yes
oh4when using the "remote" option in git, does this option mean that I want to clone to the remote server I am connecting to as opposed to locally from the control machine?
oh4wondering if I need to use remote option if I am already connecting to that machine itself
agaffneyoh4: it refers to the git "remote" name, which defaults to "origin"
Gonzihoh4: remote
Gonzih no origin
GonzihName of the remote.
Gonzihfor docs
Gonzihits in terminology, of git, default is origin
oh4ah, ok
WhiteWolf`anyone know how to nest ansible variable inside bash variable in template?
asydWhiteWolf`: check j2 doc, there is a tag to prevent var parsing
WhiteWolf`will try
DVS[1]Hi, I'm using the package module with "with_fileglob: path/to/dir/*.rpm". sometimes it fails on missing dependency which exist in this folder (if running again it succeeds. is there a way to ensure it installs all dependencies while still using the wildcard?
agaffneyDVS[1]: can you be more specific about this missing dependency and how/why it fails?
Jmainguyalso not to nitpick (proceeds to nitpick), but you really should be using a yum repo, instead of copying over and installing multiple rpms from local filesystem
Jmainguyagaffney: I am guessing the package module is not installing all the rpms in one transaction, but rather one at a time
Jmainguyagaffney: which would cause depdenecy errors if I am correct
agaffneyah, yeah, dependencies between the RPMs
DVS[1]Jmainguy≻ Thanks. do you mean I should create a repo for ansible installs? these machines are disconnected from the internet
JmainguyDVS[1]: an internal yum repo to your network yeah
agaffneydoes the 'package' module support collapsing the list like the 'yum' module does?
DVS[1]TBH I didn't encounter such errors when using the yum module
Jmainguybcoca: ^^
agaffneyDVS[1]: try using 'yum' instead of 'package'
JmainguyI think package module is bcoca's baby
bcocaagaffney: package does not squash by default
JmainguyI havent tried it, I always just use yum module
bcocaJmainguy: not my baby, its pig dressed up with diapers that i had to adopt while nuke pointed at my family
agaffneyDVS[1]: it works with the 'yum' module, because ansible passes all RPM files to the 'yum' command at once, allowing it to do dependency resolution
DVS[1]Isn't the yum module about to be deprecated..?
agaffneythe 'package' module is a wrapper that supports the lowest common denominator of the more specific packaging modules
agaffneyDVS[1]: no...where did you get that impression?
DVS[1]I think I read that somewhere. I might be wrong
agaffneyyum itself is "deprecated" by dnf, but that's very different than ansible's yum module being deprecated
Jmainguyand thats in the future
Jmainguyrhel7 is still yum, rhel8 will be dnf
bcocaagaffney: except dnf is now deprcated for yum ....
bcoca^ dnf cli is being sunsetted in favor of return to yum interface
Jmainguybcoca: legit?
Jmainguybcoca: wow
bcocaagaffney: yep, my reaction
agaffneynow if only that would happen with systemd
miscyou want to replace systemd by yum ?
bcocawell, its still going to be the dnf code base, but they are using yum as the cli
bcocamisc: yes!
Jmainguywell thats cool, I am glad they are keeping the name
agaffneymisc: it might be an improvement
bcocaprobably still less intrusive
miscthe reason for changing the name was to change the interface
miscand changing the interface to get ride of kludge :/
Jmainguyyeah I understand the reasoning, it just still hurts
Jmainguyso, its cool they will keep the name around at the very least now
bcocamisc: there were reasons?
bcoca... at this point i just think all programmers want to create a package manager
miscbcoca: yeah, for 1, be able to have the 2 tools side by side
bcocacause the existing ones suck ... but the new ones suck worse ....
agaffneybcoca: you aren't a *real* programmer unless you've created another terrible package manager without learning lessons from the multitude that came before
JmainguyI only created an interface to a package manager, I am not a true programmer yet
bcocaagaffney: done that... why do you think im so fervently against new package managers?
agaffneyI've dabbled myself
bcocawriting one now ....
miscin the case of dnf, it was a fork of yum, using a different backend based on a sat solver, etc, so I would say they did learned the lesson :)
bcocafor ansible ..
agaffneybut I was "smart" (or maybe just lazy) enough to not unleash it on the world
Jmainguybcoca: nice
Jmainguybcoca: galaxy?
bcocano, though galaxy is kind of the start of one
temmi_hoomy very short experience of yum on centos says I like it already a lot better than dpkg
temmi_hooapt I can deal, the dpkg underneath is horrible
bcocadpkg is not that horrible, its just very limited
temmi_hooapt is pretty bad though but still, can deal with it
bcocaas rpm was
bcoca'aka, pkg mgrs before the interwebs'
ryansbyou mean USPS?
temmi_hoofunny how freebsd ports has always been able to use intwerpen tubes
miscah ah
bcocaryansb: DHL ...
agaffneytemmi_hoo: yum and dpkg are very different tools. instead, you should compare yum to apt, and dpkg to rpm
temmi_hoorpm without dependency management was what turned me off of red hat when it was new
bcoca^ i think that was 90% of peopel that fled rpm distros
temmi_hooagaffney: I know
bcocayast brought me back a bit
bcocayum was a godsend
bcocaso was apt
temmi_hooso after rpm, I never saw yum until about last week
bcocadpkg-selections was a horror i wish on no one
agaffneybcoca: ugh, I came across that a while back when I was first creating Ubuntu preseed files for my local VM creation script
bcocaagaffney: current one is more about questions, before it was also package selection
temmi_hoouhhh yeah, after seeing rpm as _BAD_ someone recommended debian to me and dpkg-selections turned me off of that so that I decided against trying any more Linux-centric OS distro
bcocayou need a 'pre sarge' version to see the horror i mean
temmi_hoothe codenaming was also one thing that told me debian* aren't my cup of joe
miscbcoca: the fun part is that how everybody kinda remember fondly of older distros sometime
temmi_hoosemantic version numbers are good
miscuntil you have to deal with them again
agaffneytemmi_hoo: the state of linux package managers 15-20 years ago isn't much different than Windows was up until ~5 years ago, but somehow a GUI makes everything better
Jmainguybcoca: up2date is best package manager all time, admit it
temmi_hoo386bsd was nice
temmi_hoosmall but nice
bcocaim partial to portage
bcocabut im also insane
bcocai think it does good job of making 'bsd ports' user friendly
miscI was a bit sad that research kinda was non obvious however :/
bcocayeah to my opinion on portage or that im insane?
miscbcoca: that portage was nice as a package manager
agaffneyportage is nice but overly complex in ways. I also have a different perspective of it from yum/apt, as I watched it evolve (and even poked around in it) over the years
bcocait can always be 'better'
mischowever, a good package manager is not enough if you do not have the community behind to do the packages
temmi_hoothen there were the nysv trials and open source people of the time largely fled to Linux centric OS while BSD-landia was nearly halted except the commercial ones, who in turn responded by a quick plan b: submit to att and become sysv
bcocamisc: true, good package manager means crap if packages themselves are crap
temmi_hooanyhow to me as all-time freebsd user last week meet of centos yum under ansible control looks nice
kiorkyhi, if i setup dynamically a ssh-agent, how i tell dinamically the ansible play which is currently running (add the relevant SSH_AUTH_SOCK in next ssh calls).
svshi all. I'm having an issue with the jabber module. it's generating an error and I have no idea what to troubleshoot:,29,30,32
svsany ideas what is a good combination of xmpppy and ansible versions?
johnjelinekhihi all
asyds 1
helldoradohi all
svsif I install version 0.5.1 of xmpppy, I get a different version:
johnjelinekI'm creating a role and I have vars in `defaults/main.yml`, but I want to override those in my main task, ie `- { role: vault-role, version: 0.6.4 }`. The version in `default/main.yml` is what ends up getting used. How can I override this var?
helldoradoIs it possible to retrieve the list of roles in playbooks ?
johnjelinekI thought precedence allowed me to override the defaults
dav1xjohnjelinek -e var
dav1xif you pass in a new var when you are calling the playbook
dav1xthe new var is honored
dav1xhelldorado i dont think so
dav1xi usually create tasks for assigning my roles
dav1xthen you can do --list-tasks
helldoradook thank's dav1x
johnjelinekdav1x: I want to specify the var when I reference the role in my playbook, not when I call it via CLI
dxlr8rthe "json" from ansible debug, how can I parse that? it does all kind of strange things, like u' and False (versus false), so no applications I have want's to touch it
dxlr8r| to_json did it
sxpertis there a way to print the contents of results.msg to the console (say, for instance, to make the error messages readable instead of being gobbledygook with \n\n\n
abyssguys, I have question, I have following lines: Sometimes I perform ansible and have "after changes". I'd like to perform different playbook which check what is in server in upstream I mean if it has down status or doesn't? Which method is best to achieve nice json?
abyssJson which show status of the upstream servers and for all servers in inventory
kiorkyA/B 3
rocketI have a question re ansible and the dynamic hosts scripts .. is it possible to somehow point to 2 aws accounts at once with the ec2 script?
agaffneyrocket: not with the existing script, but you could modify it to work that way. you could also just create two separate copies of the script in an inventory dir, but you may still need to hack the scripts to get them to pick up different creds
agaffneyansible itself doesn't care. a dynamic inventory script is just a script that ansible runs and that outputs JSON. ansible cares nothing about what happens between those two things
raktajinohelldorado: '{{ role_names }}' is a list of roles in the current play
rocketagaffney: ok thanks :)
luch0hello, im looking for a way to exclude some instances that contain a specific tag (unmanaged) in anybody do something like this?
helldoradoraktajino works. thank's
A_Personso for jinja2's combine() filter, is there any way to create a new dict for it, where the key is a variable, and the value is a variable ?
A_PersonI am trying to e.g. "{{ accumulator_dict | default({}) | combine( { a_variable_key: a_variable_value } ) }}" in the context of a with_subelements, to coerce data from another list of dicts into the desired structure
axinhas anyone ran into the issue where they get these hung pids from ansible? they look list this: "ssh: ../.ansible/cp/ansible-ssh-*-root [mux]"
axinevery so often i'll need to go onto the host and manually kill them
A_Personhmm, I think I just realized something :P
A_Personwait nevermind no I didn't
larsksaxin: are you certain those are "hung"? That looks like one of the persistent ssh connections that Ansible uses to reduce the latency of new connections. See the 'ssh_config' man page and read about ControlPersist (and related config options).
axinlarsks - yeah they seem hung...i would expect a timeout after some time
axinthat's a current output of "ps -ef | grep ssh"
larsksYeah, that does seem a bit long for them to persist.
axinyou can see that there's been one there since May02
larsksCould be an ssh bug also, I guess. I wonder if 'strace' would yield anything interesting?
jasoncala_Hi, I was wondering if anyone has experience using ansible-hardening
Jmainguyjasoncala_: I have not, looks to be an ansible role, to meet some security requirements
JmainguyI am sure its fine, if you are into security, I am sure you will want to dig into the code to ensure you actually meet those requirements
jasoncala_Its for STIG requirements
axinlarsks - just sitting there on a select 9:
jasoncala_my issue is I am trying to figure out some issue with running it and can't seem to find a resource given the git site doesn't enable 'issues' to ask questions
larsksaxin: Weird. I've got nothing.
larsksjasoncala_: the README suggests that you try #openstack-ansible.
axinalso lsof of that pid shows the pid has no current open files
jasoncala_i tried there already
Jmainguywhat did they say
jasoncala_they weren't able to answer my question
larsksjasoncala_: the docs suggest that it's part of the openstack-ansible project, which means bugs can be logged at
jasoncala_well it wouldn't be a bug per se...
Jmainguyif its failing, sounds like a bug
larsksBut if the #openstack-ansible folks can't help -- and they're usually pretty active there -- I'm not sure you'll find better help anywhere else.
jasoncala_just a question about the specific amount of security controls being applied
Jmainguygotcha, yeah not super familiar with that role
jasoncala_it says it supposed to run over 200+ controls
jasoncala_but when i run the playbook it says 96=ok
Jmainguy96 tasks, those 96 tasks might apply 200 controls
jasoncala_and in the defaults/main.yml it looks like each control is applied
jasoncala_I see.. i might be able to check the tasks
schwichthello I was wondering, if there is work in progress to implement --enable-private-ip-google-access in ?
Jmainguyschwicht: #ansible-devel might be a better channel for that, the mailing list probably being the best way to get an answer for that question
schwichtJmainguy: yes .. thanks .. I tried that .. and the two people I would ask directly are not online ... I should use the mailing list
schwichtit is a little surprising that not more people are asking for that though, as that is really a key feature to have GCP hosted apps not having a leg on the internet but still being able to access the GCP API for example for GS bucket access ... there is the equivalent issue on AWS as well
cognifloydCan I add an ssh proxy_command in the inventory (not in ansible.cfg)?
johnjelinekhihi all
johnjelinekif I want to filter the output of `docker_image_facts`, do I have to register it first?
johnjelinekor can I do something like `docker_image_facts | json_query(...)`
agaffneyjohnjelinek: yes, you need to 'register' it and then poke around in it separately
johnjelinekagaffney: thanks
bencc1on ubuntu I should set ask_sudo_pass = True?
agaffneythat has nothing to do with Ubuntu and everything to do with how you have sudo configured on the remote host
bencc1agaffney: isn't it bad practice to configure sudo to not require a password?
bencc1both to prevent accident and as a security issue
agaffneythat's a very loaded question that you must answer for yourself, but it doesn't change what I said above
bencc1I understand
bencc1do you use sudo with password?
bencc1just to know what's common
agaffneyI use passwordless sudo both at home and at work, but at work, only SSH key logins are allowed, which makes it "safer"
qqumberI'm tempted to troll and cause havoc and energize myself beyond sense and go psychotic. Something is wrong with me and I doont' know if this is healthy. I'm typiing very very fast now.
duffi was directed here by a question in github
larsksduff: you will need to ask a question, then...
misclarsks: hello was a question :)
duffexactly, misc
miscACTION start to sing Lionel Richie 
agaffneyduff: then you will need to ask a *better* question :)
duffok, ok: i tried installing ansible and I was met with this error (error: command 'cc' failed with exit status 1)
miscthat's on osx ?
dufflooked it up and found this:
miscyou might need to have a working compiler
duffyes, i am installing on macos, and in this example the user was in CoreOS
misccause pip install will pull various library, some in C
agaffneyduff: it's most likely one of ansible's dependencies that's failing to compile, which isn't strictly an ansible problem. can you gist/pastebin more of the error message that you get?
duffyes, one moment please
miscyeah, cryptograhy need a c compiler
duffappears to be a problem with cryptography?
duffmakes sense
duffi'll work on it and stick around in case i suck at something else
newdimensionWhat's the best way to separate staging from production when running an ansible playbook? From what I gather I could create two inventory files and separate the relevant variable under group_vars
agaffneynewdimension: that's generally a good approach
newdimensionagaffney: thanks for the confirmation. I'll move forward this way
duffnow I'm in quite the pickle
duffi do have a c compiler installed
duffand I still received the same error
agaffneyduff: you didn't show us the actual error, just the line after it that said that 'cc' had failed
agaffneyshow us the chunk immediately above that line, and that should have the actual error from the compile attempt
duffgot it
duffi'm your huckleberry
agaffneyfatal error: 'openssl/opensslv.h' file not found <-- you need openssl development libs/headers
agaffneywhich OSX probably doesn't have available by default
duffthey said this would be easy!
duffi'm on it!
agaffneyjust to reiterate, this isn't actually an ansible's a problem with one of the python dependencies of ansible
agaffneyinstalling ansible is easy. installing it's dependencies isn't necessarily so easy
duffright i see that now
duffagain, i apologize for sending all these questions your way; a quick search of the problem directed me here
duffi am trying to install the algo vpn, because everybody told me it was super easy and this is about the eigth hiccup i have come across
newdimensionIf my staging and production are on the same server. Do I still need to make two inventories to separate the variables? Can't I switch in a different manner?
agaffneyyou can do a single inventory and just use 'prod' and 'staging' groups in your inventory to separate them
agaffneythe separate inventories makes it harder to target the wrong env with 'all'
newdimensionI see. I actually came across this and like the setup:
agaffneythere's no one "correct" way to do it. use what works for your needs
newdimensionagaffney 100% but it's always useful to learn from more experienced people. When I first asked the question I was about to created to separate inventory files since I have webserver and dbserver groups already. Your answer reminded me I can setup child groups
newdimension*create two
duffi think this may be something in ansible. not an error, but I would like to see if i could ask this here with any luck: after doing some troubleshooting, the compiler i am using is "gcc"; however the compiler that is checked for in the ansible install package is "cc".
duffis there anyway around this? or am I out of luck?
duffnvm, found a possible solution
agaffneyduff: that's not the ansible install package. that's from the build of 'cryptography', which is an ansible dependency. also, 'cc' is often a symlink to 'gcc'
duffah, i see
duffthank you; i'll leave you alone!