In Ansible inventory, can I exclude children from a host group

ansible

Assume you have Ansible inventory set up like the following somewhat-contrived example using ini file format:

[idrac]
host1-idrac
host2-idrac
host3-idrac
; ...and 97 more that I won't write here

[idrac_use_py3]
host1-idrac
host3-idrac

[idrac_use_py2:children]
; syntax to include group idrac
; and exclude hosts that are in idrac_use_py3?

I have tried various inventory variations and tested by running them through ansible-inventory --list. For example I tried idrac:!idrac_use_py3. This gives a syntax error:

[WARNING]:  * Failed to parse /path/to/my/inventory with ini plugin: /path/to/my/inventory:30: Expected group name, got: idrac:!idrac_use_py3

I have tried idrac followed by !idrac_use_py3, and get a different syntax error:

[WARNING]:  * Failed to parse /path/to/my/inventory with ini plugin: /path/to/my/inventory:32: Section [idrac_use_py2:children] includes undefined group: !idrac_use_py3

I have tried moving the idrac_use_py2:children group to a separate file that is lexically loaded last, but that did not fix the undefined group error.

Within the inventory definition, is it possible to exclude members of one group from another group?

Best Answer

Q: "In Ansible inventory, can I exclude children from a host group?"

A: No. The patterns can't be used inside inventory files. Quoting from Using patterns

"The pattern is the only element of an ad-hoc command that has no flag. It is usually the second element:"

shell> ansible <pattern> -m <module_name> -a "<module options>"

"In a playbook, the pattern is the content of the hosts: line for each play:"

- name: <play_name>
  hosts: <pattern>

For example, the inventory

shell> cat hosts
[idrac]
host1-idrac
host2-idrac
host3-idrac
; ...and 97 more that I won't write here

[idrac_use_py3]
host1-idrac
host3-idrac

[idrac_use_py2:children]
; syntax to include group idrac
; and exclude hosts that are in idrac_use_py3?

and the playbook

shell> cat pb.yml
- hosts: idrac:!idrac_use_py3
  gather_facts: false
  tasks:
    - debug:
        var: ansible_play_hosts_all
      run_once: true

work with the required pattern as expected

shell> ansible-playbook -i hosts pb.yml

PLAY [idrac:!idrac_use_py3] *********************************************

TASK [debug] ************************************************************
ok: [host2-idrac] => 
  ansible_play_hosts_all:
  - host2-idrac

PLAY RECAP **********************************************************************
host2-idrac: ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

The next option is to create the group dynamically in the first play and use it in the second e.g.

shell> cat pb.yml
- hosts: all
  gather_facts: false
  tasks:
    - add_host:
        name: "{{ item }}"
        groups: idrac_use_py2
      loop: "{{ groups.idrac|difference(groups.idrac_use_py3) }}"
      run_once: true

- hosts: idrac_use_py2
  gather_facts: false
  tasks:
    - debug:
        var: ansible_play_hosts_all
      run_once: true

gives

shell> ansible-playbook -i hosts pb.yml

PLAY [all] **************************************************************

TASK [add_host] *********************************************************
changed: [host1-idrac] => (item=host2-idrac)

PLAY [idrac_use_py2] ****************************************************

TASK [debug] ************************************************************
ok: [host2-idrac] => 
  ansible_play_hosts_all:
  - host2-idrac

PLAY RECAP **************************************************************
host1-idrac: ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
host2-idrac: ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

Related Solutions

Adding a user to an additional group using ansible

According to the User module you can use this:

- name: Adding user {{ user }}  
  user: name={{ user }}
        group={{ user }}
        shell=/bin/bash
        password=${password}
        groups=sudo
        append=yes

You can just add the groups=groupname and append=yes to add them to an existing user when you're creating them

Security – How to implement ansible with per-host passwords, securely

You've certainly done your research...

From all of my experience with ansible what you're looking to accomplish, isn't supported. As you mentioned, ansible states that it does not require passwordless sudo, and you are correct, it does not. But I have yet to see any method of using multiple sudo passwords within ansible, without of course running multiple configs.

So, I can't offer the exact solution you are looking for, but you did ask...

"So... how are people using Ansible in situations like these? Setting NOPASSWD in /etc/sudoers, reusing password across hosts or enabling root SSH login all seem rather drastic reductions in security."

I can give you one view on that. My use case is 1k nodes in multiple data centers supporting a global SaaS firm in which I have to design/implement some insanely tight security controls due to the nature of our business. Security is always balancing act, more usability less security, this process is no different if you are running 10 servers or 1,000 or 100,000.

You are absolutely correct not to use root logins either via password or ssh keys. In fact, root login should be disabled entirely if the servers have a network cable plugged into them.

Lets talk about password reuse, in a large enterprise, is it reasonable to ask sysadmins to have different passwords on each node? for a couple nodes, perhaps, but my admins/engineers would mutiny if they had to have different passwords on 1000 nodes. Implementing that would be near impossible as well, each user would have to store there own passwords somewhere, hopefully a keypass, not a spreadsheet. And every time you put a password in a location where it can be pulled out in plain text, you have greatly decreased your security. I would much rather them know, by heart, one or two really strong passwords than have to consult a keypass file every time they needed to log into or invoke sudo on a machine.

So password resuse and standardization is something that is completely acceptable and standard even in a secure environment. Otherwise ldap, keystone, and other directory services wouldn't need to exist.

When we move to automated users, ssh keys work great to get you in, but you still need to get through sudo. Your choices are a standardized password for the automated user (which is acceptable in many cases) or to enable NOPASSWD as you've pointed out. Most automated users only execute a few commands, so it's quite possible and certainly desirable to enable NOPASSWD, but only for pre-approved commands. I'd suggest using your configuration management (ansible in this case) to manage your sudoers file so that you can easily update the password-less commands list.

Now, there are some steps you can take once you start scaling to further isolate risk. While we have 1000 or so nodes, not all of them are 'production' servers, some are test environments, etc. Not all admins can access production servers, those than can though use their same SSO user/pass|key as they would elsewhere. But automated users are a bit more secure, for instance an automated tool that non-production admins can access has a user & credentials that cannot be used in production. If you want to launch ansible on all nodes, you'd have to do it in two batches, once for non-production and once for production.

We also use puppet though, since it's an enforcing configuration management tool, so most changes to all environments would get pushed out through it.

Obviously, if that feature request you cited gets reopened/completed, what you're looking to do would be entirely supported. Even then though, security is a process of risk assessment and compromise. If you only have a few nodes that you can remember the passwords for without resorting to a post-it note, separate passwords would be slightly more secure. But for most of us, it's not a feasible option.

Best Answer

Related Solutions

Adding a user to an additional group using ansible

Security – How to implement ansible with per-host passwords, securely

Related Topic