I'm currently learning how to use Ansible. Right now, I've got a bunch of servers, both new and legacy, that have different logins or passwords or both. All have key access to run the plays.
Here's what I started with. Example hosts file:
# legacy and new have different logins (like root and deploy)
[legacy]
serv1
serv2
[new]
serv3
serv4
# different has a different login and password altogether
[different]
serv5
So to keep things simple, I originally had a playbook run the equivalent of sudo apt-get update && sudo apt-get upgrade
on all the machines, but because of the different login/passwd, I had created multiple playbooks for each host. But now I want to DRY it out and am looking at Roles, per their docs.
Right now I have something like this. The test/roles/common/tasks/main.yml file:
---
- name: run apt-get update
apt: update_cache=yes
- name: run apt-get upgrade
apt: upgrade=yes
The site.yml file:
- name: apply common configuration to all nodes
hosts: all
roles:
- common
I understand that I can actually define the different logins with ansible_ssh_user=root
or ...=deploy
in my hosts file. Or put them in group vars. But what do I do about the different sudo passwords? [legacy]
is root so I don't need sudo
, but [new]
and [different]
need it, and have different passwords. How do I do this? Group vars? Do I create these: test/group_vars/new/some_file_with_a_passwd.yml and test/group_vars/different/some_other_passwd.yml (ignoring security issues)?
How does the site.yml recognize that there are hosts with different passwords or some hosts with no passwords?
Edit for clarity's sake: I have SSH access, so doing the 'pre-tasks' step during the play always work (I connect via key access and never via a password). I'm not worried about security as that's the next step. For now, I want to get the group_vars thing right....It's the sudo
escalation I have issues with. E.g. serv1 sudo might be root/password1, serv3 sudo: deploy/password2, serv5: anotherdeploy/password3
Normally you would want to pass the sudo password on the command line after Ansible's password prompt after using either the --ask-sudo-password
or its short alias -K
when running with a user that doesn't have passwordless sudo. This has the benefit of then not being recorded in your Ansible code base anywhere and then not ending up in source control.
However, this is a single prompt and will be applied to all hosts so doesn't really fit your use case.
The ansibe_sudo_pass
variable can instead be used to provide the sudo password for the user for any specific host. This should only be used when a sudo password is needed so if you provide this variable to a host with passwordless sudo then it should be ignored.
As your user/password combination seems to be split entirely by group rather than by each and every host then it makes logical sense to put the credentials in group vars.
As pointed out by nikobelia you may want to consider encrypting this sensitive data using something like Ansible's Vault, credstash or something else.