Hii,
I would like to have a playbook trigger the asking of the become password, but I couldn’t find how to do it.
Is there perhaps some variable that can be set in a playbook (or play) to do this? I was thinking of something like “ask_become_pass: true” or something like that.
thx
Dick
Better to use ssh keys or store the details in ansible vault or something but if you need to prompt for the password you could potentially use vars_prompt: ?
something like
become: yes
vars_prompt:
prompt: “Enter sudo password”
private: yes
tasks:
ansible.builtin.yum:
name: vim
state: present
thx, this worked!
Why not use the “-K” when launching ansible-playbook? That will trigger prompting fo the sudo password securely.
Because I don’t want to have to remember to use it.
I have several playbooks, some of them require -K and some of them do not.
I think it should be possible to express that requirement with some parameter, so that I don’t have to remember it.
Is the above workaround less secure than doing -K on the command line?
thx
Dick
Potentially, as far as I can tell the workaround does nothing to stop a plaintext log of the password in memory. You might also consider using ansible Vault, and the ansible_become_password variable. This seems more inline with what you need/want. Even allows for using different passwords in various points by changing the variable with set.
The private: yes, should prevent it from being logged etc if I’m reading the documentation correctly.
e.g.
become: yes
vars_prompt:
prompt: “Enter sudo password”
private: yes
tasks:
ansible.builtin.yum:
name: vim
state: present
however,
Have you looked into host_vars?
I tend to refer to hosts with a friendly name, as often we don’t have fqdn’s or connect via a dirrectent IP to what DNS would point to etc.
something like
ansible_project/
│
├── playbook.yml
│
├── inventory/
│ └── inventory.yml
│
└── host_vars/
├── webserver01/
│ ├── vars.yml # Plain text variables file
│ └── vault.yml # Ansible Vault encrypted variables file
│
├── webserver02/
│ ├── vars.yml # Plain text variables file
│ └── vault.yml # Ansible Vault encrypted variables file
│
├── sqlserver01/
│ ├── vars.yml # Plain text variables file
│ └── vault.yml # Ansible Vault encrypted variables file
│
└── sqlserver02/
├── vars.yml # Plain text variables file
└── vault.yml # Ansible Vault encrypted variables file
Example inventory
all:
children:
webservers:
hosts:
webserver01:
webserver02:
sqlservers:
hosts:
sqlserver01:
sqlserver02:
ip: “192.168.1.101”
port: 22
username: “your_user”
ansible_become_pass: “{{ P_ansible_become_pass }}”
P_ansible_become_pass: “your password here”
I like to reference encrypted vars in the non encrypted vars so I can get a view of all vars in one place without needing to de-crypt the vault file.
Hope that helps
Stu