Hi,

Ansible allows setup user in playbook which is used for connection with servers:
Playbook:
user: some-login-here

This is working fine for one user who is responsible for deployment process, but is not working well when team is responsible to run the same playbooks against servers as different users.
So ansible is allowing overwrite variable - which is great:

Playbook:
user: “{{ ssh_user }}”
vars_files:

• vars/common_sshuser.yml

So now ‘user’ is using variable ‘ssh_user’ which can be defined in command line or in additional variable file: common_sshuser.yml. When this variable is setup - everything is working well.
But when this variable is not setup - ansible is trying connect with servers with SSH USER: ‘{{ ssh_user }}’

This kind of work have perfect sense to put the same code to SCM (SVN, GIT) and allow:

• users to checkout and use them own login to servers to deploy chanages
• automated software complain that something is missing - for example (CI - like jenkins).

Let see scenario:

• Jenkins is checking out everything from SCM and is trying run playbooks, if this variable is not setup, ansible should complain with error and jenkins knows that something is wrong and let user know.
• Currently If ansible is not complaining - the play can be run for long period of time and each time ansible is trying connect with server as user ‘{{ ssh_user }}’ - which can leads to block SSH access on servers which detects failed loggins attempts.

Summary:

• Working between internatinal teams is harder when playbooks have hardcoded usernames.
• Using the same playbooks on CI is not easy as well when playbooks have hardcoded username.

But this is my point of view - is possible that is not exectly right point of view.

So I am posting this to mailing list to know what is your point of view this.

Best regards,
Marcin Praczko

Hi Marcin,

what version of Ansible? From 1.3 on there is possibility to set error_on_undefined_vars = True in ansible.cfg.

Regards,

David

"But when this variable is not setup - ansible is trying connect with servers with SSH USER: ‘{{ ssh_user }}’ "

Also this:

{{ ssh_user | mandatory }}

Even if you aren’t turning on the undefined variable check.

But yes, I’d recommend the former – you almost always want that behavior.

Hi,

Accually I think is still not working as expected:

[vagrant@devopsadmin dir01]$ ansible --version
ansible 1.4.3

Playbook:

• name: Common | Ping all hosts
  gather_facts: no
  hosts: all
  user: “{{ ssh_user }}”
  sudo: yes

vars_files:

• vars/common_sshuser.yml

---------------------------------

Add / Include specific task (will be run after roles)

---------------------------------

tasks:

• ping:

0. If variable is not defined in ‘vars/common_sshuser.yml’ and not passed as variable in command line - ansible is trying connect with ‘{{ xxx }}’ user to servers.

1. Setup ‘error_on_undefined_vars’ in ansible.cfg
   [vagrant@devopsadmin ansible]$ cat /etc/ansible/ansible.cfg | grep True
   …
   error_on_undefined_vars = True

Run ansible
TASK: [ping ] *****************************************************************
ESTABLISH CONNECTION FOR USER: {{ssh_user}} on PORT 22
TO srv01
ESTABLISH CONNECTION FOR USER: {{ssh_user}} on PORT 22
TO srv02

2. Use {{ssh_user | mandatory}} in play

Run absible
TASK: [ping ] *****************************************************************
ESTABLISH CONNECTION FOR USER: {{ssh_user | mandatory}}
on PORT 22 TO srv01
ESTABLISH CONNECTION FOR USER: {{ssh_user | mandatory}}
on PORT 22 TO srv02

So for me looks like user variable in playbook is not checking whether is defined or not.

Best regards,
Marcin Praczko

It's remote_user, which I think changed in 1.4. I just remember seeing
that in the docs yesterday.