Use variable only if defined in Ansible

ansible

My colleague and I use Ansible to manage a group of servers.

We use the .ansible.cfg file in our local home directories to setup our local environments and keep our playbooks in a git repo.

When authenticating to servers, I use user1, and he uses user2. 95% of of our servers have these accounts, but historically reasons, a few servers only have a "user" account.

We're using host_vars to set the remote_user variable for the minority of servers in question.

However, in our playbooks, we generally user "all" to stipulate what servers we want to hit, and use the –limit parameter on the command line to specify exactly which servers should get the update. Our server farm is a legacy of mis-mash poorly engineered servers that have to be kept online until they are retired in a few years, and we've found that this approach best suits our needs.

Our issue is that our remote_user parameter is set in our .ansible.cfg file, where it is exposed as environment variable rather than a script variable.

That means if our task contains:

remote_user: "{{ remote_user }}"

It will only work for hosts for which that variable is defined

For the 95% of hosts for which we don't define this variable, the task fails.

Is there a way to only use the variable if it is defined?

If remote_user is defined, use it, if not, use the environment variable set in .ansible.cfg

Note: I know I can use:

- name: Do something 
  remote_user: "{{ remote_user }}"
  when: remote_user is defined

In a task definition, but that will only apply to that task, and I don't want to have to update all task

When I really need is for that condition to be available at the hosts definition, ie:

---
- hosts: all
    remote_user: "{{ remote_user }}"
    when: remote_user is defined

But that is illegal in Ansible

Best Answer

As usual, after spending 2 hours postponing asking the question here, I find the answer 5 mins after I post the question!

Its really simple. To set a different remote_user for individual systems without having to apply loads of hacks to existing playbooks, just add the var to the host in your inventory:

[web_servers]
server1 ansible_ssh_user=user
server2

In this instance, any time a play incldues server1, "user" will be used as the ssh user. For server2, the value of remote_user from your ansible.cfg file will be used (eg user1, user2 etc depending on the local environment).

Related Solutions

Security – How to implement ansible with per-host passwords, securely

You've certainly done your research...

From all of my experience with ansible what you're looking to accomplish, isn't supported. As you mentioned, ansible states that it does not require passwordless sudo, and you are correct, it does not. But I have yet to see any method of using multiple sudo passwords within ansible, without of course running multiple configs.

So, I can't offer the exact solution you are looking for, but you did ask...

"So... how are people using Ansible in situations like these? Setting NOPASSWD in /etc/sudoers, reusing password across hosts or enabling root SSH login all seem rather drastic reductions in security."

I can give you one view on that. My use case is 1k nodes in multiple data centers supporting a global SaaS firm in which I have to design/implement some insanely tight security controls due to the nature of our business. Security is always balancing act, more usability less security, this process is no different if you are running 10 servers or 1,000 or 100,000.

You are absolutely correct not to use root logins either via password or ssh keys. In fact, root login should be disabled entirely if the servers have a network cable plugged into them.

Lets talk about password reuse, in a large enterprise, is it reasonable to ask sysadmins to have different passwords on each node? for a couple nodes, perhaps, but my admins/engineers would mutiny if they had to have different passwords on 1000 nodes. Implementing that would be near impossible as well, each user would have to store there own passwords somewhere, hopefully a keypass, not a spreadsheet. And every time you put a password in a location where it can be pulled out in plain text, you have greatly decreased your security. I would much rather them know, by heart, one or two really strong passwords than have to consult a keypass file every time they needed to log into or invoke sudo on a machine.

So password resuse and standardization is something that is completely acceptable and standard even in a secure environment. Otherwise ldap, keystone, and other directory services wouldn't need to exist.

When we move to automated users, ssh keys work great to get you in, but you still need to get through sudo. Your choices are a standardized password for the automated user (which is acceptable in many cases) or to enable NOPASSWD as you've pointed out. Most automated users only execute a few commands, so it's quite possible and certainly desirable to enable NOPASSWD, but only for pre-approved commands. I'd suggest using your configuration management (ansible in this case) to manage your sudoers file so that you can easily update the password-less commands list.

Now, there are some steps you can take once you start scaling to further isolate risk. While we have 1000 or so nodes, not all of them are 'production' servers, some are test environments, etc. Not all admins can access production servers, those than can though use their same SSO user/pass|key as they would elsewhere. But automated users are a bit more secure, for instance an automated tool that non-production admins can access has a user & credentials that cannot be used in production. If you want to launch ansible on all nodes, you'd have to do it in two batches, once for non-production and once for production.

We also use puppet though, since it's an enforcing configuration management tool, so most changes to all environments would get pushed out through it.

Obviously, if that feature request you cited gets reopened/completed, what you're looking to do would be entirely supported. Even then though, security is a process of risk assessment and compromise. If you only have a few nodes that you can remember the passwords for without resorting to a post-it note, separate passwords would be slightly more secure. But for most of us, it's not a feasible option.

Ubuntu – ansible: setting variable according to ansible_os_family

I have solved my own problem.

In essence, you can set variable according to os_family, but you have to do it correctly.

See my fixed playbook below:

---
- name: Set fact for Debian
  set_fact:
    destination: "/etc/nagios/nrpe.d/"
    nrpe_server: "nagios-nrpe-server"
  when: ansible_os_family == "Debian"

- name: Set fact for RedHat
  set_fact:
    destination: "/etc/nrpe.d/"
    nrpe_server: "nrpe"
  when: ansible_os_family == "RedHat"

- name: Ensure Nagios custom checks directory exists
  file: path=/usr/local/lib/nagios/plugins state=directory mode=0755

- name: Install check_cpu_steal nagios check
  copy: src=eprepo/sysadmin/nagios_checks/check_cpu_steal dest=/usr/local/lib/nagios/plugins/check_cpu_steal mode=0755 owner=root group=root

- name: Install check_cpu_steal nrpe config
  copy: src=eprepo/sysadmin/files/check_cpu_steal.conf dest="{{ destination }}/check_cpu_steal.cfg" mode=0644 owner=root group=root

- name: Restart nrpe daemon
  service: name={{ nrpe_server }} state=restarted

Best Answer

Related Solutions

Security – How to implement ansible with per-host passwords, securely

Ubuntu – ansible: setting variable according to ansible_os_family

Related Topic