bcocano, but the connection to the bastion for a specific host should be reused
bcocabastion cannot change the 'proxied' host over the multiplexed connection, so it makes no sense to do share a connection at that point
robinbcoca: I see, thank you for your detailed explanation.
PrasadK_I know about `meta: end_play`. Is there a way to exit out of a playbook by doing `meta: end_playbook`?
EnphuegoI'm having some major issues with vmware_guest failing when I have two port groups with the same name
Enphuegois this PR in 2.4 or is it still in dev? https://github.com/ansible/ansible/pull/24768
itdependsnetworkany chance that when you register a variable, it strips the beginning whitespace?
Enphuegohow to I put a module into a role?
Enphuegolike I want my one role to use a different version of the vmware_guest module
agaffneyyou may want to use a different name for your version of the module to avoid any issues with the built-in module
Enphuegothanks agaffney
EnphuegoI think i'll keep the same name - it's just a patch and I'll delete it once the PR makes it to prod
kichawai cant apply ansible_user from inventories/dev/group_vars/aws
kichawaif i copy aws file in host_vars/my_ip it works
agaffneykierank: that would imply that the host is not in the 'aws' group, assuming that group_vars/ and host_vars/ are sitting next to each other
htaccessrobin: have you read https://docs.ansible.com/ansible/latest/playbooks_best_practices.html#directory-layout ?
htaccessoops scrollback fail there
htaccessso i have a playbook with no tasks I run it and get ok=1 from gather facts, so far so good
htaccessthen i add one task say command: uname -a, and i get ok=2, changed=1 where does the extra ok come from?
htaccessseems to be something special about the command module
flowerysong1 + 1 = 2.
flowerysongChanged tasks are a subset of the ok tasks.
htaccessok wow, I'm not sure how I have managed to never notice that. I have always assumed its ok + changed = # of tasks (an fails obviously)
klepanyone using Tower 3.2.1
agronholmhi, does anyone know why there is no wheel shipping for ansible?
miscbecause no one did, I think, and most people think the pip install is enough (or the packages) ?
agronholmwheel generation can be fully automated so nobody has to spend 1 more second doing it
agronholmand it makes installation faster as pip doesn't have to generate a wheel of it
agronholmdo you happen to know how ansible's release process works?
mzfhow can i run different role1 on host A and role2 on host B all within one playbook?
mischttps://github.com/gluster/gluster.org_ansible_configuration/blob/master/playbooks/deploy_bastion_vm.yml like this
miscfirst part is ran on myrmicinae (it create the VM), and the 2nd is the VM create, and it run some roles and tasks, as if it was a secund playbook
mzfmisc: thanks
mibiirhi i can't run ansible on localhost
mibiirlocalhost | UNREACHABLE! => {
mibiir "changed": false,
mibiir "msg": "Failed to connect to the host via ssh: Permission denied (publickey,password).\r\n",
mibiir "unreachable": true
mibiirlocalhost | UNREACHABLE! => {
mibiir "changed": false,
miscmibiir: you can use -c local to run it without ssh
mibiir "msg": "Failed to connect to the host via ssh: Permission denied (publickey,password).\r\n",
mibiirhow can i use -c.. i mean where?
miscansible -c local ...
miscon the command line, for either ansible, or ansible-playbook
miscbut what are you trying to achieve ?
mibiiri use a costume ansible and i cant use -c.. can i put -c some where?
mibiiri want use anible to use ceph
miscwell, what do you mean by "you use a custom ansible" ?
mibiircustom config for instalition.
miscI am still unsure on what how you run ansible, or the exact setup you have
miscfor example, what command line did you use ?
mibiirthis command run_ansible
miscand where does it come from ?
do0mACTION bom dia
xmjyou're asking for support for some custom ansible nobody here knows
xmjtalk to your vendor.
mibiirrun_ansible. run many command to install ansible. in univercity we bulid command run_ansible
xmjshow source code
mibiiri dont have accsess to source code :(
mibiircan i turn off ssh on another way?
do0misnt run_ansible just an alias ?
do0misn't the normal binary installed ?
mibiiri dont know really
do0mlocate ansible
do0mwhereis ansible
miscmibiir: ok so you are connected on some server, with a run_ansible command, can you tell more about the context ?
mibiiri use an image file to run it on my laptop
misca image file, what do you mean ?
mibiirits just work when i set ip adress over the network
mibiirbut when i set ip dosent work
mibiirimage file = iso
ompragashmibiir, try it with -u username
do0mansible -vvv localhost -m ping
do0mor run_ansible -vvv localhost -m ping
do0msee if that works :|
miscand where does the iso comes from ?
mibiirlocalhost | unreachable
mibiir "changed": false,
mibiir "msg": "Failed to connect to the host via ssh: Permission denied (publickey,password).\r\n",
mibiir "unreachable": true
do0mansible -vvv localhost -m ping
do0mis 'run_ansible" an alias or a binary ?
xmjdo0m: vim `which run_ansible` :
miscI wouldn't inflict vim to someone having troubles :/
miscfile `which run_ansible` is more than enough
xmjmisc: you don't have enough popcorn
xmjalso file doesn't let you *read* the sourcecode
mibiirno doesn't let me see sourcecode
xmjunsupported, contact your vendor
mibiirok thanks
Pepe_!search tower
answerbot(Pepe_) http://docs.ansible.com/ansible/#stq=tower
hbfCan I take a list and wrap each member inside a deeper structure? I've got a group G with members [one, two, three], and need to produce a variable with [{A: one}, {A: two}, {A: three}].
agaffneyhbf: technically yes, but you'd probably struggle to accomplish it with the stock jinja filters. it's easy enough writing a custom filter to do it, though
newjuice6is it possible to take a 'vault'd value and run it through a hash filter?
newjuice6if so, what exactly is the syntax for that?
Pistahhhbf: https://pastebin.com/f2MbR05u
Pistahhnewjuice6: i dont really understand your question
newjuice6Pistahh: lets say i used ansible-vault to encrypt a single variable. this variable will be a users' password. I want to figure out how to use the 'hash filter' to turn this encrypted string into a sha256 hash, to then push to a node as a users new password
do0mcat vaultfile | sha256sum
maldridgeyou should almost certainly use the encryption functionality in the user module to do this correctly
newjuice6I was hoping to simply include it within the playbook
do0mi don't understan the use case
maldridge(and set log: false on that task)
newjuice6what encryption functionality is that? All it says is that it takes the hash-- does the user module actually provide functionality to hash the password itself?
Pistahhnewjuice6: the vault is "transparent", the variables it contains are unencrypted automatically when used, i.e. it doesn't matter if a value comes from the vault or from any other regular place
maldridgeiirc you can give it a string and it will perform the proper hashing
maldridgeotherwise you could use a delgated task to localhost and call mkpasswd on the variable, capture the output, and transmit that
newjuice6right. so my specific question is as follows. the syntax to access a variable is "{{ my_var }}", correct? and to use the hashing filters is this syntax: {{ 'test' |hash('sha1') }}. So my question is how to put a variable into that hash filter
maldridge{{ my_var | hash('sha2') }}
maldridgeas stated above the vault variables are no different than normal ones
newjuice6ok cool. i just wasn't sure if the entire line needed to be in "" like other lines
Mitigatingif you use the : syntax you need to do that
newjuice6so password: "{{ secret_pw |hash('sha2') }}"
Mitigatinglike name: "{{ something | filter() }}"
newjuice6^thats proper ?
newjuice6Mitigating: gotcha, thanks!
MitigatingI have a question for you
Mitigatingare you OJ?
newjuice6i can't say that I am
newjuice6not yet at least
Pistahhnewjuice6: personal preference, I would store the hashed password on the first hand, so 1. the plaintext would not be exposed (accidentally) 2. no need to bother with hashing later
Pistahhnewjuice6: with a strong hash + many rounds (+ if you know that the password itself is strong) then it is not even necessary to store it in the vault
newjuice6Pistahh: so incidentally enough, that's what i did before. I made a little python script to get a sha512 hash of the password, and i stored that (as recommended in the docs). however after pushing it out, for some reason, some systems too the pass, and others didn't
Pistahhnewjuice6: and those that didn't, did they need some different type of hash?
newjuice6every system was configured to use sha512
newjuice6it was a mixed environment of rhel6+7, and i had successes and failures on systems within both groups
newjuice6though way more failures than successes
Pistahhnewjuice6: if the result of {{ plaintext | whateverhash }} is the same as the native hashed value then I see no reason why it wouldn't work...
Pistahhalso, if they are the same, just implementing the hashing by ansible also will not fix it..
MitigatingI vault my users
Mitigatingfor database and I use ssh keys only for shell
newjuice6Mitigating: that's what i'm thinking we'll probably do
Mitigatingthe hash idea is pretty good too but say you have multiple databases types
Mitigatinglike redshift, mongo, mysql
MitigatingI use one dictionary structure for them all
fredlhi folks
fredlI've set up my SSH to connect to virtual servers behind a NAT router using ProxyCommand
fredlThis works well from the commandline as the user I set it up for
fredlNow, as the same user I use ansible-playbook -s script.yml, which uses the same hostnames behind the NAT
fredlbut it looks for some reason that won't work
fredlAnd I'm a little bit at a loss.... when I do ansible-playbook -s, ansible will do sudo once on the remote host, correct?
fredlFailed to connect to the host via ssh: Stdio forwarding request failed: Session open refused by peer\r\nssh_exchange_identification: Connection closed by remote host\r\n
apollo13fredl: yes, sudo is done on the remote host
apollo13fredl: that message looks as if you should check the remote hosts logs
apollo13(on all involved machines)
apollo13looks like some tunneling option is disabled
fredllemme see
apollo13also run with -vvvvvv (ansible) to see what it actually executes
fredldang that's VERY verbose, LOL
apollo13sure, but usually helpful
apollo13should show you the exact ssh command execute
fredlHmm http://paste.debian.net/998810/
fredlIt's got something to do with that
fredl<haiweb.3dn.intern> SSH: found only ControlPersist; added ControlPath: (-o)(ControlPath=/home/fredl/.ansible/cp/ansible-ssh-%h-%p-%r)
fredlI think.
apollo13I doubt that
apollo13that is just so that ansible can reuse the connection
apollo13ie ssh ControlMaster
apollo13what happens if you manually execite ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/fredl/.ansible/cp/ansible-ssh-%h-%p-%r haiweb.3dn.intern
fredlsomething in SSH config on server then?
Pistahhfredl: just copy&paste that ssh command into the cmomand line, then start stripping it down
apollo13if that ssh command already gives you an error you need to look at the server
fredlOh dear, I cannot cut and paste from hexchat, LOL
fredlI feel like an IRC virgin again!!! :D
fredlaha, I think I know
fredlLocally here haiweb.3dn.intern still points in DNS to wrong internal IP
fredlthat makes sense as it's a server moved from here to Vietnam
fredllemme fix that, maybe somehow it uses local DNS names with Ansible commands while regular ssh haiweb doesnt
fredldoes ansible use the ~/.ssh/config ?
apollo13fredl: partially for sure
fredlI mean... how does it decide it needs a ControlMaster? I don't see anything back about using vn.3dn.nl in that command
fredl(BTW with the local DNS entry fixed it gives a timeout, so started looking at the actual command in a bit more detail
fredlaha, looks like I got some more reading to do then :)
fredltnx so far apollo13
fredlActually looks like this page gives a good example config https://medium.com/@paulskarseth/ansible-bastion-host-proxycommand-e6946c945d30
apollo13not really sure why he wants to use a custom ssh cfg file
Sp4rKy:query arktemprary
Sheogorath[m]Mhm for some reason I can't install "@GNOME Desktop Environment" using the ansible DNF module. it always says the group doesn't exist. dnf itself tells me something different :/
flowerysongRandom guess: yum has a weird thing where there are actually two types of groups, dnf may preserve that. See https://docs.ansible.com/ansible/latest/yum_module.html#notes
Sheogorath[m]Sadly, this doesn't work
kutenaiThis is a great list.. http://py3readiness.org/ It's sad to see Ansible on that list in 'white' however. Any idea when Ansible might be released with proper/full Python3 support?
hbfPistahh: Cool! Thanks a lot!
tprhave you had some specific problems with the current ansible then?
tprkutenai: ^ I think there's python 3 suppor talready
kutenaiThe latest versions of ansible are claiming only 2.6 and 2.7 compatibility. I do realize that ansible has what might be called "preliminary" support for P3. Not sure why this isn't listed as fully supported though. I don
kutenaiI don't generally use it under P3 for that reason however.
kutenaiNot really interested in trying to debug some "subtle" issue with P3.
kutenaiIt looks like ansible is well on it's way to "official" support for P3.. which is great. I just have not seen any predications on when that might hit
Sheogorath[m]Installing `@gnome-desktop`
mackermankutenai: Compatability with 2.6 and 3.5 is the plan and Python3 problems are considered bugs.