Suppose I have a thousand users, with different sudo settings,
When including a play or playbook within a playbook, can i set the user and sudo key dynamically?
I want to have 1 template I can use for all 1 thousand users instead of having 1000 plays, 1 for each user.
Mike
Yes, you can pass in variables with --extra-args and do things like:
user: “{{ user }}”
Also you can set ansible_ssh_user as an inventory variable too.
If the outer playbook includes a playbook for each 1000 users, I am able to pass the user in as a variable, however I just realized I need to enter the password for each “inner play”. I could set my local computer’s pubkey in known hosts for each user, but can I pass the password in the include statement, either as a variable or an arg?
Mike
You can definitely define a data structure and loop through it with_items.
I am not sure why you would need to login with each of 1000 users when you could log in as something else and just set ownership?
I’m trying to install ruby rvm with the single user install instead of system wide install. Each user needs to be isolated from other users. The rvm installation script will install in ~/.rvm folder.
So is it possible to set each play’s user password with “with_items”? otherwise I may have to do passwordless ssh login.
Trying to understand, you want to install 1000 copies of RVM on a system or is this more like 1000 different systems?
Have ideas, but answer might depend on which 
Basically i’m trying set up web servers for ruby projects for 1000 users on each machine. Each user has his/her own password. Each user cannot go into other user’s directories. I probably wouldn’t be able to run 1000 ruby code due to memory constraints. 1000 was just to make a point.
If you mean 1000 different systems as in 1000 machines each running separate things, I am setting it up where 1000 machines are identical. Basically horizontally webscaling. In reality I would probably only have 10 machines max.
Let’s just say I put 30 users per machine. My hope was to use the outer playbook to include plays where I can login as each user and run commands as that user. I could use a sudo user to do it but I would have to modify RVM. RVM single user installs just installs in the current user’s home directory.
The second problem is, I don’t want to have to physically type in the password for each user. Using a prompt would be a pain. I guess I would have to do passwordless ssh login.
Mike
Ok so you say 1000 machines and you say 10 and then you say 3000 and you say 30, I would like to discuss your actual use case if possible.
I think you really don’t want to run the rbenv setup script 1000 times, that’s for sure
So I discovered I can only dynamically set playbook users with command line and extra vars,
so I would have to run the command for each user such as the following
ansible-playbook -i production inner-playbook.yml --verbose --extra-vars "user=mike"
I tried doing the following within an “outer-playbook.yml”
but the user became {{ user }}
the debug showed
<66.228.54.69> ESTABLISH CONNECTION FOR USER: {{user}} on PORT 2345 TO 66.228.54.22
is there a way to execute playbooks from playbooks while setting the user with “with_items”?
Mike
Yes and no.
The “sudo_user” is a valid attribute of a task. This should be functional to set the user. I haven’t verified whether that works using “sudo_user: '{{item}}” or not.
The user itself needs to be set at play level.
It seems it would be easier to run things from sudo root and chown them, and use the file/copy/template modules with the owner= parameter, etc?
–Michael
I just tried to use the sudo_user, it didn’t work for me
outer playbook
inner playbook
Yeah, so as brought up a few times before, include + with_items is basically an unsupported thing.
You can’t use inventory variables among other minor issues.
It’s much better to loop inside the tasks instead, and you can set sudo_user on a task attribute.