aRdoRanyone here using the cloudformation module
aRdoRI regsister my stack after I created it (that works great), but I cant figure out how to print my IP address
aRdoRthere is a mystack.stack_resources which is a JSON returned job
aRdoRand inside of that it has multiply objects all with the same keys, "logical_resource_id": "IPAddress", "phsyical_resource_id": "" but then in another one it has "logical_resource_id": "EC2Instance", "phsyical_resource_id": "i-450304532a"
aRdoRIm not sure how i print the IP address
larsksaRdoR: can you post an example of what the mystack.stack_resources variable actually contains?
aRdoRI made this Ansible Demo just an fyi since you guys might be interested
larsksaRdoR: okay. So you've got a list of dictionaries, and you want to filter them by an attribute.We can do that.
larsksJust a sec...
larsksaRdoR: so, here's one option:
larsksWe use the 'selectattr' filter to find the dictionary with logcal_resource_id == 'IPAddress', and then grab the corresponding physical_resource_id from that result.
aRdoRok yeah that looks prefect
larsksaRdoR: There is also a json query filter:
larsksThat will let you do the same thing.
aRdoRyeah I looked at the query filter
aRdoRand I dont know didnt really like it, but I like what you have
aRdoRok I am going to go try it
larsksaRdoR: an example using json_query:
aRdoR_hi, Im on my development laptop now.
aRdoR_got it working with msg: "{{ pub_web01_stack | json_query(\"stack_resources[?logical_resource_id=='IPAddress'].physical_resource_id\") }}"
aRdoR_with the json_query as suggested
aRdoRlarsks: Thanks!
aRdoR_"host": "['']", ----- I think my connection is timeout due to host not equal to ... will it work fine as "['']"
agaffneyno, you are probably using a list where you should only be using a string
agaffneyyou can do something like {{ foo | first }}
aRdoR_yeah, "host": "" works fine
aRdoR_i sent it to |string and it converted it into "host": "[u'']"
agaffneybecause it was an array
aRdoR_host: "{{ pub_web01_stack | json_query(\"stack_resources[?logical_resource_id=='IPAddress'].physical_resource_id\")}}"
aRdoR_To concatenate a list into a string:
aRdoR_host: "{{ pub_web01_stack | json_query(\"stack_resources[?logical_resource_id=='IPAddress'].physical_resource_id\") |join() }}"
aRdoR_that worked found in the filters section of the docs.
aRdoR_agaffney: thanks
desnudopenguinoi'm using ansible with terraform to build/config some AWS infra. is there a way to set up additional users/dbs on an already existing RDS instance using ansible?
desnudopenguinoah, looks like i can use the mysql_db module, and pass in login creds and do it.
bngsudheer_Ansible can't find the roles installed via Galaxy.
bngsudheer_But the roles are present in /root/.ansible/roles/
henkI have a role 'exim4' that is included in a play. I have another role 'bsd-mailx' with a dependency on 'exim4'. When I run the playbook, the tasks for 'exim4' are done once right before 'bsd-mailx' is realized, and then again when ansible encounters the explicit 'exim4' role in the play. Is that intended or a bug?
henkor is anything wrong with my play? (:
ericzolfif the exim4 role is called with different parameters, it's called multiple times, else it shouldn't be called multiple times, but there is a flag for this as well.
ericzolfthe question is: if you know there is a dependency, why do you call explicitly exim4?
henkericzolf: because I don’t want to think about whether there is a dependency. ATM I want bsd-mailx and exim4 on that system. Maybe some time in the future I choose to _not_ want bsd-mailx anymore and remove it. I don’t want to have to remember to include exim4 then.
wandering_vagranHi all, if I want to pass my password as a variable during execution of a playbook how do I do that? This is in context of a particular task that I am executing with shell module. I can use ansible vault and move to roles at some later point, but for now I have to use some form of crude mechanism (if you will).
wandering_vagranthe particular line is "realm join <AD-domain> --user wandering_vagran"
wandering_vagranto join my host with the AD domain
henkericzolf: you were right with your first comment: the include in the play had a 'tag' set for this exim4 role, while the dependencies in the other roles did not. that seemingly made exim think they are different roles. Not sure, but a tag does not seem to change the role, so it does not make sense to me how ansible behaves. Is that a bug?
ayrusHi I'm currently having ansible on ubuntu 16.04, I want to install 1.9.4. How to install multiple version of Ansible on single server. I have tried using virtualenv, but while installing 1.9.4 its gives error. Please help me with that.
AndreasLutroayrus: you need python 2.7 or newer
henkIMHO giving a tag when including a role in a play should not make that role be different from when it is included without a tag. i.e. the behaviour that the task 'debug bar' in is run twice seems like a bug. Is there any sensible explanation or is it a bug?
flowerysongdebughenkfoo depends on debughenkbar, so debughenkbar must run before it. debughenkbar is explicitly listed after debughenkfoo, so it must run after it. To satisfy these constraints, it must be run twice.
henkflowerysong: phrased like that, it does make sense … thank you (:
koleonHello guys, how can I get latest devel version of ansible please? pip install git+
iTeVHmm, can I have multiple entries with `with_fileglob`?
iTeVIt seems like ansible only does the first one
iTeV< first one == first entry in with_fileglob >
henk"best/common practice" question: I want all of my hosts to have rsyslog (same for exim4, ntp, and other daemons) installed. Most hosts get the "default" setup, specific hosts get a different config, sometimes just minor differences, sometimes major ones, e.g.: normal hosts should not have rsyslog listening on UDP, a select few should. How can I model that? Should I work with conditionals on the task level or
henkshould I make different roles or something else entirely?
formanjosome ansible specialist?
henkformanjo: yes, special expert here. have been using ansible for over 1 month now!!kk
formanjoOK, I need within my ansible module to launch multiple deamons trying to use daemonize function in module_utils/, but facing pickle error, are you the right person?
henkformanjo: no
fairuzHi guys
fairuzI've just installed ansible using brew
fairuzbut even ansible --v is very slow to respond. Is this normal?
proyconFrom a role in my roles/ dir I should be able to use any other role in my roles/ dir right?
moritzfairuz: ansible --version takes 0.9s here
AndreasLutropython programs tend to be notoriously slow to start up, yes
moritzbut I think it's new that it's *that* slow
kassavhello guys, i have some issues with dynamic inventory
kassavi created a python script that creates an inventory file
kassavthe inventory file contains this
andreafgood morning ansible experts :)
kassavwhen i run the playbook with the script as -i parameter
kassavi got failed to parse with ini plugin
kassavunable to parse as an inventory source
moritzuhm, I thought dynamic inventory plugins are supposed to return JSON?
moritzalso, are you printing the ini to STDOUT?
Rolfsis the dynamic inventory script executable?
kassavmoritz: not printing
kassavRolfs: yes i run run it
andreafI'm try to write a list of tasks that behaves differently if a input variable is a list or a dict - I use with_dict in case the variable is a dict - and with_dict complains about the input not being a dict even if the corresponding task should be skipped
odyssey4mekassav I assume that HOSTNAME{1,2,3} are on seperate lines below the group name?
kassavi'm not sure if i sould return a json or a simple format is enough
moritzkassav: but that's the API
kassavodyssey4me: yes separated
andreafI tried a lot of versions the latest is - but even using when on a block does not exclude with_dict being processed
moritzyou write a script that produces the inventory on STDOUT
odyssey4meok, to be clear - you're not actually using a dynamic inventory in this case - you're using a script to generate an INI formatted inventory config file
moritzansible-playbook starts it with a pipe open
kassavodyssey4me: yes that's right
odyssey4meare you using -i {ini file path}, or -i {dynamic inventory script path}
Rolfskassav: And the output is json format? could maybe try running it with './ | jq .' to check the json ?
kassavodyssey4me: -i dynamic_script
moritzthat's the problem
odyssey4meok, if you're generating an ini file using the script, then you should use -i {ini file path}... but if you want to have a dynamic inventory based on the script, then you need to generate json as the others have mentioned
moritzand produce the JSON on STDOUT of the script, not write it to a file
odyssey4mesee for more details
kassavthe fact is, i need to get the hostnames from a third party tool (database)
Rolfs$( > inventory.ini ; echo "inventory.ini" )
jungleslowHey folks, quick question. I created a user in my role with a "chroot /mnt useradd ... -p {{pass}}" where pass is sha512. And then "add_host" to connect, with ansible_password: {{pass}}. Is Ansible supposed to know that it's sha512 in add_host ? I have authentication failure when trying :(Thanks.
henkIn which places can I specify dependencies? Only for roles in role/foo/meta/main.yml or is there another place?
odyssey4mejungleslow you'll have to tell it how to decode the value you give it in your task - ansible is just passing the value as-is and has no idea how to interpret it
henk suggests that 'include_role:' is newer syntax than 'roles:'. Does that also mean it is preferred or is it just fine to use 'roles:'?
henkhm, immediately followed by 'import_role' … And it also says "You can conditionally execute a role. This is not generally recommended with the classic syntax". Why is it not recommended? Should I be using 'import_role:' and 'include_role:' instead of 'roles:'?
Nothing4You_hey, could it be possible to have different ansible_machine and ansible_architecture facts? i'm trying to figure out which one to use and why there seem to be multiple items showing the same values
tuxickmost likely depends on dist/os
kassavhello again
kassavi have a small question
kassavwhen i include a playbook into another
kassavi it's not case insensitive, i will get issues
kassavare there an automatic manner to deal with that
jungleslowHey sorry, have been disconnected. Don't know if I got replies for my question :/ ?
rvgatekassav, for filenames its generally a good idea to always do lowercase
kassavyes, but if someone type a file name with an uppercase, it will fail
agaffneyjungleslow: ansible doesn't know/care that it's sha512. how are you trying to "connect" to your chroot?
rvgatekassav, good :) forced them to type them lowercase and build some consistency in the code
agaffneykassav: then it fails. ansible is case sensitive, partly because it was originally designed on OSes with case-sensitive filesystems
jungleslowThe thing is that I'm configuring my server with PXE, doing the RAID, then debootstrap on chroot /mnt etc etc and the rebooting the server to boot on the recently created partition
kassavrvgate: some consistency on the code: what do you mean by that
agaffneyjungleslow: one thing to consider is that you probably need some single quotes around the sha512 password hash, or the shell will "eat" large sections of it because of the $ in it
jungleslowI just change the host on my playbook to connect on the new host created with add_host
jungleslowWhat I know is that the command useradd understands the "$6...."
agaffneyyes, but it won't *see* that if the shell gets to the $ in that string first
rvgatekassav, as in, everyone should respect case sensitive.. if someone doesn't, it simply doesn't work... no need to allow sloppyness
agaffneyNothing4You_: yes, when I test with 'linux32', I get i386 for ansible_architecture and i686 for ansible_machine
Nothing4You_agaffney: thanks
agaffneybut they're both x86_64 without using linux32
agaffneyit looks like 'ansible_machine' will be more specific, depending on your needs
rvgatewhat is the required git version to make the git module work properly
agaffneyrvgate: what's not working? I'd be surprised if it required anything super "modern"
rvgateagaffney, i get an argument error on --no-patch
agaffneyrvgate: <-- the docs say >= 1.7.1
rvgatehmm.. actually.. im wondering if its coming from the git module
rvgateagaffney, i have to apologize, its me doing the command through shell :P not respecting dfferent versions of git
rvgateis there maybe a mechanism to avoid running a certain playbook using older versions of ansible by accident?
AndreasLutroyou can probably use the "assert" module along with the ansible version variable + the version_compare filter
rvgateyeah, was considering that.. but maybe its already in there for example in the config.. minimal_ansible_version=2.4.x or something ;P
rvgatewould actually be a nice feature to have
MetalindustrienOkay, so I'm completely new to ansible and just trying to understand the code of our head ansible guy. One of the scripts he has does, among other things, this:
MetalindustrienBut when I run it with ansible-playbook (with -C obviously) I get an error:
MetalindustrienBasically saying <class 'ansible.errors.AnsibleUndefinedVariable'>\nexception: 'dict object' has no attribute 'stdout'"}
MetalindustrienI'm just wondering what that means
MetalindustrienIt seems to be a common command, so it's weird that it's failing. I'm guessing it's because the date command is being skipped?
sheeshMetalindustrien: Yeah, that's why
sheeshIf it's skipped then no stdout will be set on the registered variable
rvgateMetalindustrien, shell does not support -C mode, so its not giving you an stdout in the results
MetalindustrienAh okay, that makes sense - thank you :)
larsksMetalindustrien: you can make tasks like that execute even in check mode by setting check_mode: true... (
rvgateMetalindustrien, you can ignore the check mode (if you are absolutely sure its safe to run) with a flag: check_mode: False
rvgateim slow today :P being outrun by others!
larsksrvgate: False? Huh, maybe I am misreading the docs.
rvgatelarsks, yes, its false for some reason
larsksACTION is misreading the docs.
larsksYeah, no, I get it. I think the phrasing in those docs is a little awkward.
sheeshTrue means "run this in check mode even if the run is in normal mode"
rvgatei just figured it needed to be false by trying :P
sheeshBecause otherwise it wouldn't be confusing enough
larskssheesh: yes, agreed, like I said :)
kassavhi again
kassavi got a question
kassavsuppose i have a list of servers
kassavand in one playbook, i have to deploy on one or two servers based on another logic
kassavis it better to use inventory file with all the servers, or use an inventory with servers that i will use
skbunGenerally in the play, I specify 'hosts:' with exactly the hosts I want it to run with. The inventory file always has all servers I work with.
ClowningAroundhaving some issues getting windows world rocking with ansible. I can kinit and show tkt with klist, but getting "Server not found in Kerberos database" when trying to use ansible to talk to windows server
jjeganathanAny "chage" module or user password expiry feature planned ? :D
gregabjjeganathan: user: name=foo expires=${epoch}?
jhawkesworth_ClowningAround: is your server really called SERVER.DOMAIN in AD?
jhawkesworth_ClowningAround: 'Server not found in Kerberos database' usually means that ActiveDirectory doesn't know about the machine name you are trying to use.
jhawkesworth_ClowningAround: I recommend using full domain name rather than just the top level
jjeganathangregab: I don't think "expires" is for the password but to deactivate the user in the system.
agaffneythere seems to be a difference between user expiration and password expiration in *nix that I've never bothered to quite wrap my head around
moritzI'd guess password expiry is only relevant if you log in with your password (and not, say, ssh key)
bcocayep, you can expire password and user can still login with 'other methods'
bcocawhen you 'expire user', he cannot login at all
jjeganathanCorrect, that's why I asked if there was something specific to passwd expiry
bcocaACTION has the bad habit of edigint /etc/shadow and setting the password field to 'L'
bcocajjeganathan: not sure, i know its been a request for the user module, iirc the problem was that 'password expiration' is not offered on all systems nor in anything close to a 'unified way'
jjeganathanOh okay, I understand :)
oliv_____trying to get ansible to read from aws ssm. I downloaded and getting a syntax error. anyone got this to work?
oliv_____how do you debug syntax error...
kjetilhoI read very closely
___JustinIm having some trouble figuring out how to loop through the results of a registered variable. I would like to use the 'id' field that is returned.
___JustinIm trying to replicate the volume tagging shown in the docs, but have not been able to do so.
___Justinwhen trying to use the ec2_tag command, I keep getting 'The task includes an option with an undefined variable. The error was: 'id' is undefined' -- which makes enough sense, im obviously not referencing it correctly
DerDuddlemaybe try ?
flowerysong___Justin: You haven't shown us what you're actually doing.
sivel___Justin: with_items: "{{ ec2_vol.volumes }}"
___Justinfatal: [localhost]: FAILED! => { "msg": "The task includes an option with an undefined variable. The error was: 'ansible.utils.unsafe_proxy.AnsibleUnsafeText object' has no attribute 'id'\n\nThe error appears to have been in '/home/ec2-user/deployment/ansible_mfa/roles/internal/mfa_ec2/tasks/present.yml': line 58, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears
___Justinwhich is coming from the `ec2_tag` module
sivel___Justin: without seeing the output from your debug task, not sure. But that fixed the problem with you not using the correct syntax for with_items
sivelunless you didn't update the with_items as I indicated
___JustinThe documentation does show the with_items as being inside '{{ }}' -- is what Im doing somehow different, or is the documentation incorrect?
___Justinits the part "- name: Ensure all volumes are tagged"
sivel___Justin: that example is incorrect
sivelit used to be correct, but the syntax has since changed
gregabbcoca, jjeganathan, moritz, agaffney, the exact difference is that a password expires, and a user account can be set to be locked x days after password expiry
gregabso the only thing that expires here is the password
___JustinThat was it, thank you.
gregaban easy fix would be to add a disabled_on: parameter and a "state: disabled"
gregabas far as i see right now, there is no way to create a disabled user account
gregabor change it from active to disabled
gregaband yes, i agree, between windows, darwin and posix-compliant systems, there is no standard way to do this
gregaball posix systems (should) have a setpwent with struct passwd though
gregabeven darwin has that
Tyklingdo facts gathered in one play remain available in the later plays in the same playbook?
Tyklingin other words, do I have to wait for "gathering facts" more than once in a playbook? it seems to do the exact same thing 20 times in a playbook with 20 plays
Tyklingcould I just set gather_facts: False in all plays but the first and not notice any difference?
agaffneyfacts will not be gathered again for a specific host in subsequent plays in the same playbook
gregabTykling: you can cache facts and then them
gregabs/them/reuse them/
gregabTykling: also look here:
gregabTykling: so what you want is "gathering = smart", really, that would do what agaffney says
davidianhey everyone, anyone know a good ansible module for uninstalling a .deb package?
gregabdavidian: "package"?
davidianyeah, an apt .deb package
Tyklinggregab: cool thank you, weird that "smart" is not the default, but I guess it is better to have conservative defaults
gregabTykling: yeah, because different plays may work with different inventory groups
gregabTykling: infact, they usually do, so there's no intersection between them
davidianthanks Rydekull
Tyklinggregab: but in that case "smart" wouldn't hurt, right? it would just do gathering for the hosts it didn't get in the previous play(s)?
gregabTykling: indeed, but it would change the default behaviour from older versions.
gregabTykling: so if something depended on default behaviour, it could break for no apparent reason.
gregabTykling: (do not underestimate the weirdness of things people sometimes come up with) ;)
Tyklinggregab: got it -
gregabTykling: precisely, hahaha
wilforehaving an issue with register variables and wondering if someone could help out
ingyACTION waves to bcoca o/ :)
kvozHow can I accomplish sending a template to a server including the row: summary: "{{ instance }} is up". I want the file on the server to actually look like that, I dont want ansible to try to evaluate the instance variable
AndreasLutrokvoz: I would make it into a file and use the copy module just to keep things simple, but if you don't want to do that, look into jinja's {% raw %}, or just do {{ '{{' }}
kvozAndreasLutro, works well, thank you!
agaffneygregab: huh, TIL. I thought 'gathering = smart' (and its behavior) was the default, but I was wrong
gregabagaffney: no worries ;)
agaffneyI guess I don't do many multiple-play playbooks to notice :)
gregabagaffney: yeah, same here :) i only teach that stuff, i don't really use it a lot these days
LorD_n1c0wHello, Someone know who use --limit to use a group and a alias to execute a task just for one alias of an group? I was trying :
LorD_n1c0w ansible --limit="eua-h,sbr9" -m raw -a "grep plaintext_auth /etc/dovecot/dovecot.conf | grep -v "^#"" -i environments/hdbrshared/ggtt
LorD_n1c0wBut it not works
agaffneyLorD_n1c0w: what is an "alias"? it's not clear what you're trying to do
vkLooking for an efficient way to parse inventory host_vars and expand jinja2 templated vars, then dump json. I currently have a python script that calls ansible-playbook with a dummy playbook that runs on localhost and dumps hostvars (via debug). Not scalable, so just starting to revisit this old design. What's a better way?
agaffneywhat are you looking for out of host_vars? you can get facts by configuring fact caching and gathering facts
agaffneythe 'ansible-inventory --list' command will show any vars defined in the inventory file for a host
agaffneyyou could also possibly optimize your existing process a bit by having your playbook write out a per-host YAML/JSON file on the local host, rather than needing to parse the output of ansible-playbook
vkWe have inventory in git for many hosts, and we have existing tools that need to cosume ansible inventory, which contains things like software versions, locations, various playbook vars, etc. The inventory vars contain references to other vars to avoid duplication (for example software version used to construct log file location). So reading directly from git results in unexpanded vars.
vkHence the playbook run.
vkYes, thinking of periodic cached output.
gregworkhas anyone deployed awx on an atomic host ?
agaffney- copy: dest="/tmp/{{ inventory_hostname }}.yaml" content="{{ host_vars[inventory_hostname] | to_yaml }}"
LorD_n1c0wagaffney: its an alias for a host, so if the full name is, I just call it sbr9 when run the command
LorD_n1c0wagaffney: that's why I need use --limit, for execute my thing just for an host from a group
agaffneyLorD_n1c0w: that's just a host to ansible. it has no concept of aliases. it sounds like you're trying to limit the run to a single host, so why specify the group at all? just use '--limit sbr9'
agaffneygregwork: #ansible-awx is a better place to ask that
gregworkagaffney: alright
vkagaffney: Was hoping there was a more direct way in the ansible python tree. The copy might work if we know the full list of hosts and walk through the inventory tree ... typically integration tools just need a dump with everything (or all hosts in a specific group), then they can pick details dynamically.
vkFor now it seems running a playbook and caching the output is the only way. If there's some other hook in the code to just read inventory and dump hostvars after templating, before the play loop, that would be ideal.
agaffneyvk: there's nothing (that I know of) built-in to do what you want. you could potentially use the ansible python API directly, but that's unsupported
agaffneywhy before the play loop? how is that really different than just writing a simple playbook that does the dump in whatever format you want?
agaffneyvk: for the 'copy' method, you'd use that with 'hosts: all' and 'connection: local', so that ansible would iterate the hosts for you but run everything on localhost
agaffneyyou could also create a .j2 file that does the iteration over all hosts to get the output in a single file
vkJust guessing that it would save a bit of time with a couple thousand hosts.
vkI'll try the jinja template iteration ... will have to experiment a bit
vkagaffney - just for some context, a playbook run on a decently beefy server to run ansible-playbook and dump hostvars with the debug module takes about 3 minutes for ~ 2000 hosts (total exec time; with ansible-2.4.2). Will experiment to see what can reduce that.
ClowningAroundjhawkesworth_: thanks for the reply. I ended up bailing off kerberos to NTLM and it is working as expected.
interstate8hi what is the best way to feed an ip into ansible-playbook command in lieu of an inventory?
interstate8i see some stackoverflow answers that mention using commas and including hosts: all in the playbook
interstate8but those are from over 2 years ago
larsksinterstate8: sure, you can specify a comma-separated list of hosts/ips as an argument to the -i option.
larsksansible-playbook -i host1,host2 playbook.yml
interstate8thank you i will try just using a single ip that terminates with a comma
jhawkesworth_ClowningAround: glad you are up and running. Kerberos has some useful stuff, such as credential delegation so might be worth a bit more digging, depending on what you need to do
efadenI'm new to ansible, but trying to use it to manage my dotfiles. Basically right now I have a directory stored in git that ansible retrieves and then makes symlinks from that folder into my ~/ ... the question is how do I get it to redeploy the role "dotfiles" if I add a new dotfile?
BManojlovicefaden: it should just run sync
BManojlovicefaden: i mean i do not know how did you do your rolew
BManojlovicefaden: but if you used for example synchronize it should "just do it"
efadenRight now I have a folder with files in it... and a task to run on each file in the directory to symlink the file to ~/.<filename>
BManojlovicwhich is fine
efadenThe files are pulled via git into ~/dotfiles/ which is where all of the ansible stuff is.
BManojlovicwhich module you used?
BManojlovici mean what is creating symlinks
efadenI basically used this as an example (
BManojlovicbut used symlink ?
efadenSymlink on a var which is an array of the files
BManojlovicjust paste on
BManojlovici am a bit confused what you did
efadenWhich file?... the tasks?
BManojlovicfiles no
efadenThe vars referenced just have a list of the files to symlink
efadenI'm trying to figure out how to get it to/or how it would handle if I wanted to add a new file to symlink
BManojlovicso it is "file" module NOT copy
BManojlovicif you added file to dir fileglob will pick it up
efadenSo I would just re-run ansible with that role against that host?
BManojlovicand just redo everything new and skip existing
BManojlovictat is idea
efadenawesome. thats what I figured
efadenWould it be the same thing if instead of a fileglob I was using a "var"? ...
efadene.g. with-dict
BManojlovicwith_items i would use,
BManojlovicbecause it is supposed to be on remote host
efadengot it.
BManojlovicdoing task ls /dotfiles
BManojlovicyou register output and use that as with_items: registered_variable.stdout_lines
efadenGot it. Thanks
BManojlovicas fileglob is local only
davidianhas anyone every used ansible to manage a connection to an openvpn server that provides access to a group of hosts?
Joeldavidian you're looking to use a specific server as a jump host?
davidianno, not a jump host
davidiani have several groups of servers. each are within their own aws vpc. i connect to each of their virtual networks via an openvpn server contained within each vpc.
davidianright now i just manually connect to the appropriate vpn server, then run playbooks against the hosts within the corresponding network
davidiani'd like to be able to run through eerything and have ansible manage the vpn connections
davidiani did some googling, but it kinda looked like this isn't really a thing yet
agaffneythat sounds like you want a playbook that establishes the VPN connection, runs ansible-playbook, and then tears the VPN connection down
davidianyeah, exactly
agaffneythat's not exactly a common pattern, so you'll mostly be on your own there
aRdoRDavidian: did you say manual? we dont use that kind of lanaguage in #ansible
davidianheh :)
aRdoRdavidian: local commands?
davidianthat's what i was thinking i might try
aRdoRanother option is
aRdoRyou could do ansible pull
aRdoRwith a cronjob
aRdoRassume you store your playbooks on the cloud
aRdoRa 3rd option
aRdoRis you could allow your Public IP address and only your public IP to beable to SSH through the SG group and not even use the vpn
davidianmost of the hosts don't have public IPs, i think i'd have to redo alot more than just allow my IP through the sg group of each vpc. not sure
AndreasLutrodavidian: consider setting up a single ssh jumphost/bastion host in each vpc maybe? it's a lot easier to configure ansible to connect through a jumphost than a vpn
davidianthat's true, i've had it run some playbooks that way for some hosts that are only accissible that way
JoelIf you're in AWS you shouldn't be connecting to running servers anyways.
JoelYou should be building AMIs
LorD_n1c0wagaffney: ERROR! Missing target hosts
LorD_n1c0wwhen I execute shows this
LorD_n1c0w ansible --limit="sbr9" -m raw -a "grep plaintext_auth /etc/dovecot/dovecot.conf | grep -v "^#"" -i environments/hdbrshared/ggtt
JoelLorD_n1c0w you have to specify the hosts to run against in your inventory
Joelall? some_group?
LorD_n1c0wsbr9 ansible_ssh_port=1111
LorD_n1c0wsbr2 ansible_ssh_port=1111
agaffneyLorD_n1c0w: that's because you didn't specify an initial group of hosts to use --limit against. the 'ansible' command requires a host/group specifier on the commandline
agaffneyLorD_n1c0w: in the case of the 'ansible' command, just do 'ansible sbr9 -m raw ...'
LorD_n1c0wso what I need edit on my command
agaffneyyou only need --limit to act as a "filter" on the otherwise-specified hosts/groups to target
LorD_n1c0wansible --limit="sbr9" -m raw -a "grep plaintext_auth /etc/dovecot/dovecot.conf | grep -v "^#"" -i environments/hdbrshared/ggtt
LorD_n1c0wI alredy tested
LorD_n1c0wlike this:
LorD_n1c0wansible --limit="eua-h:sbr9" -m raw -a "grep plaintext_auth /etc/dovecot/dovecot.conf | grep -v "^#"" -i environments/hdbrshared/ggtt
LorD_n1c0wand its not work too
Everspaceneed to escape those quotes.
agaffneyplease re-read what I just said above
LorD_n1c0wI read agaffney but not understand when this case will happen
LorD_n1c0wI have a hosts with 120 shareds servers here
LorD_n1c0wand I am testing it, and not working
EverspaceLorD_n1c0w: limit is only when you have things to limit against
EverspaceLorD_n1c0w: The invocation of ansible is "ansible <host-pattern> [options]" You do not have a host pattern
LorD_n1c0wEverspace, is too much you show me how the syntax works?
LorD_n1c0wfor the case I said above?
EverspaceThe syntax is "ansible <host-pattern> options"
EverspaceIf you can't deal with how to do commandline stuff, I think you need to rethink your options
LorD_n1c0wok I will try my best here
LorD_n1c0wthanks for the concern agaffney and Everspace
EverspaceLorD_n1c0w: riddle me this, what are the options you're currently using?
LorD_n1c0wEverspace I send you on private abt the cause, are described
EverspaceLorD_n1c0w: There is no reason private message anyone
agaffneyLorD_n1c0w: we already know the cause of your error, and we've tried to tell you what it is, but you're just not listening/understanding
agaffneyyou are using the 'ansible' command wrong. the 'ansible-playbook' gets its target hosts from the playbook (`hosts: all`), where the 'ansible' command requires you to specify it on the commandline. you are not specifying it on the commandline
agaffneythe --limit option does NOT remove the need for you to specify some host/group on the commandline
agaffneyand as I said before, you should just replace `--limit="sbr9"` on your commandline with *just* `sbr9`
agaffneyit rarely makes sense to use --limit with the 'ansible' command
m1yag1hello ansible pros. what ansible fact could i use to determine the python interpreter ansible is using? I'm making it use python 3 but i have another role that installs psycopg2 and i'd like to install the proper one depending on what interpreter rather than installing both.
m1yag1oh i probably answered my own ? it's probably the same one i used to set it in my inventory vars.
NecrosanYou cookin' with fire now, m1yag1 !
m1yag1need more :coffee:
m1yag1doing stupid things faster.
NecrosanYeah, I think it's about that time for me too.
LorD_n1c0wagaffney: thanks
LorD_n1c0wEverspace: thanks too, for the explain it on private, now its clear for me
Tyklingwhat is the easiest way to debug a handler that doesn't work as intended? the handler is using the command module, and the command works when I copy paste it and run it by hand
agaffneyTykling: does the command use any shell features (pipes, redirection, etc.)? could it be expecting certain env vars to be set?
Tyklingit is command: "/usr/local/bin/supervisorctl reread; /usr/local/bin/supervisorctl update" so I guess the ; could be considered a shell feature
agaffneyyes, so you want to use the `shell` module instead
Tyklingof course, makes sense, or split it into two handlers
Tyklingthanks, sometimes you just need an extra set of eyes :)
agaffneyusing 'command' when you need 'shell' is a common mistake
EverspaceI feel like that is a flaw of the design. I can see both ways. It would probably be nice to perhaps parse for stuff and send out a warning or the like, but that sounds like no end of trouble.
agaffneyif you wanted to merge them into a single action (probably 'shell'), you'd still have people wanting a way to NOT use the shell. you could have made it a param to the module, but passing params is tricky with command/shell since they take the free-form field for the command
hypercorewhat's the best tool to use with ansible for creating DO droplets (or provising cloud servers in general)?
agaffneyin the case of auto-detection of whether the shell should be used or not, I can already think of a case where that would be...tricky: the ; as part of the -exec option to 'find'
EverspaceI fell like that's an argument for shell/command being standardized as "command: cmd='cowsay whatever' shell=yes"
EverspaceI fell
Everspacehypercore: Is there no DO module? I would probably write a python script to do the provisioning otherwise, or make my own module to do so.
agaffneyI agree, but it's not worth breaking backwards compatibility and making using the ad-hoc 'ansible' command more difficult
agaffneywe're essentially stuck with the current command/shell design, unless a new module is created with a different name
EverspaceAd-hoc is quite nifty. I feel like shell should probably only be in ad-hoc, and in playbooks it should be specific as to what you're doing.
EverspaceBut that's breaking the unity of all the bits and bobs and that's no good either
agaffneyit's a minor problem that can't be solved without semi-major annoyance
EverspaceI feel like this is the python2/3 print debacle.
EverspaceAnd that went *so well*
agaffneyheh, kinda
_nu11ptr_question, using network config modules like ios_config/nxos_config is there any way to do config removal with proper idempotentcy?
_nu11ptr_seems like it only is design to push new stuff, not full config lifecycle
agaffneythat probably depends on the individual module
_nu11ptr_@agaffney most definitely does - asking specficaly about ios_config/nxos_config
agaffneyyou said "like", so it wasn't clear you specifically meant those, or just the network modules in general
_nu11ptr_@agaffney - all the network *_config modules essentially shove raw config, so principial will be the same with all of them
agaffneyiirc, when I played with them in the past, I handled config removal by doing one task that checked that part of the config to see if what I wanted to remove was there, and then another task that used that result to determine whether to remove something
agaffneythis was mostly for ensuring things like DNS and NTP servers contained *only* the entries that I wanted
agaffneythe modules aren't really designed to be idempotent, as that would probably require a more thorough understanding (within the module code) of what the config items you add/remove are doing
agaffneyfor the ios_config module to know that "no ntp server foo" is the counterpart "ntp server foo" would need the module to actually understand what that command means, which is impractical for any/all config options
ComnenusI see there are a couple of ipmi_ modules, but not one to configure ipmi (set username/pass/IP/etc). Does anyone know of a module anywhere that will do this? Or maybe some workaround?
ingyI've worked out a way (in Python) to allow `this: "{{ that | doit }}"` to not require quoting around the value. ie you can just do this `this: {{ that | doit }}`.
ingyI'm going to try to turn it into a PR for