mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
standardize connection variable names (#51776)
* standardize user/password connection vars * docs: use ansible_user and ansible_password * docs: var precedence for connection vars * docs: ansible_become_pass -> ansible_become_password etc
This commit is contained in:
parent
51061f8a5f
commit
953058d025
35 changed files with 120 additions and 93 deletions
7
changelogs/fragments/standardize_connection_vars.yaml
Normal file
7
changelogs/fragments/standardize_connection_vars.yaml
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
minor_changes: |
|
||||||
|
Connection plugins have been standardized to allow use of ``ansible_<conn-type>_user``
|
||||||
|
and ``ansible_<conn-type>_password`` variables. Variables such as
|
||||||
|
``ansible_<conn-type>_pass`` and ``ansible_<conn-type>_username`` are treated
|
||||||
|
with lower priority than the standardized names and may be deprecated in the
|
||||||
|
future. In general, the ``ansible_user`` and ``ansible_password`` vars should
|
||||||
|
be used unless there is a reason to use the connection-specific variables.
|
|
@ -19,7 +19,7 @@ To debug a module running on a remote target (i.e. not ``localhost``):
|
||||||
|
|
||||||
#. On your controller machine (running Ansible) set ``ANSIBLE_KEEP_REMOTE_FILES=1`` to tell Ansible to retain the modules it sends to the remote machine instead of removing them after you playbook runs.
|
#. On your controller machine (running Ansible) set ``ANSIBLE_KEEP_REMOTE_FILES=1`` to tell Ansible to retain the modules it sends to the remote machine instead of removing them after you playbook runs.
|
||||||
#. Run your playbook targeting the remote machine and specify ``-vvvv`` (verbose) to display the remote location Ansible is using for the modules (among many other things).
|
#. Run your playbook targeting the remote machine and specify ``-vvvv`` (verbose) to display the remote location Ansible is using for the modules (among many other things).
|
||||||
#. Take note of the directory Ansible used to store modules on the remote host. This directory is usually under the home directory of your ``ansible_ssh_user``, in the form ``~/.ansible/tmp/ansible-tmp-...``.
|
#. Take note of the directory Ansible used to store modules on the remote host. This directory is usually under the home directory of your ``ansible_user``, in the form ``~/.ansible/tmp/ansible-tmp-...``.
|
||||||
#. SSH into the remote target after the playbook runs.
|
#. SSH into the remote target after the playbook runs.
|
||||||
#. Navigate to the directory you noted in step 3.
|
#. Navigate to the directory you noted in step 3.
|
||||||
#. Extract the module you want to debug from the zipped file that Ansible sent to the remote host: ``$ python my_test_module.py explode``. Ansible will expand the module into ``./debug-dir``. You can optionally run the zipped file by specifying ``python my_test_module.py``.
|
#. Extract the module you want to debug from the zipped file that Ansible sent to the remote host: ``$ python my_test_module.py explode``. Ansible will expand the module into ``./debug-dir``. You can optionally run the zipped file by specifying ``python my_test_module.py``.
|
||||||
|
|
|
@ -179,13 +179,13 @@ Create the encrypted ssh password for your VyOS network devices, pulling your an
|
||||||
|
|
||||||
.. code-block:: console
|
.. code-block:: console
|
||||||
|
|
||||||
ansible-vault encrypt_string --vault-id my_user@~/my-ansible-vault-pw-file 'VyOS_SSH_password' --name 'ansible_ssh_pass'
|
ansible-vault encrypt_string --vault-id my_user@~/my-ansible-vault-pw-file 'VyOS_SSH_password' --name 'ansible_password'
|
||||||
|
|
||||||
If you prefer to type your ansible-vault password rather than store it in a file, you can request a prompt:
|
If you prefer to type your ansible-vault password rather than store it in a file, you can request a prompt:
|
||||||
|
|
||||||
.. code-block:: console
|
.. code-block:: console
|
||||||
|
|
||||||
ansible-vault encrypt_string --vault-id my_user@prompt 'VyOS_SSH_password' --name 'ansible_ssh_pass'
|
ansible-vault encrypt_string --vault-id my_user@prompt 'VyOS_SSH_password' --name 'ansible_password'
|
||||||
|
|
||||||
and type in the vault password for ``my_user``.
|
and type in the vault password for ``my_user``.
|
||||||
|
|
||||||
|
@ -193,7 +193,7 @@ The :option:`--vault-id <ansible-playbook --vault-id>` flag allows different vau
|
||||||
|
|
||||||
.. code-block:: yaml
|
.. code-block:: yaml
|
||||||
|
|
||||||
ansible_ssh_pass: !vault |
|
ansible_password: !vault |
|
||||||
$ANSIBLE_VAULT;1.2;AES256;my_user
|
$ANSIBLE_VAULT;1.2;AES256;my_user
|
||||||
66386134653765386232383236303063623663343437643766386435663632343266393064373933
|
66386134653765386232383236303063623663343437643766386435663632343266393064373933
|
||||||
3661666132363339303639353538316662616638356631650a316338316663666439383138353032
|
3661666132363339303639353538316662616638356631650a316338316663666439383138353032
|
||||||
|
@ -213,7 +213,7 @@ This is an example using an extract from a YAML inventory, as the INI format do
|
||||||
ansible_connection: network_cli
|
ansible_connection: network_cli
|
||||||
ansible_network_os: vyos
|
ansible_network_os: vyos
|
||||||
ansible_user: my_vyos_user
|
ansible_user: my_vyos_user
|
||||||
ansible_ssh_pass: !vault |
|
ansible_password: !vault |
|
||||||
$ANSIBLE_VAULT;1.2;AES256;my_user
|
$ANSIBLE_VAULT;1.2;AES256;my_user
|
||||||
66386134653765386232383236303063623663343437643766386435663632343266393064373933
|
66386134653765386232383236303063623663343437643766386435663632343266393064373933
|
||||||
3661666132363339303639353538316662616638356631650a316338316663666439383138353032
|
3661666132363339303639353538316662616638356631650a316338316663666439383138353032
|
||||||
|
@ -244,11 +244,11 @@ To see the original value, you can use the debug module. Please note if your YAM
|
||||||
|
|
||||||
cat vyos.yml | grep -v ansible_connection >> vyos_no_connection.yml
|
cat vyos.yml | grep -v ansible_connection >> vyos_no_connection.yml
|
||||||
|
|
||||||
ansible localhost -m debug -a var="ansible_ssh_pass" -e "@vyos_no_connection.yml" --ask-vault-pass
|
ansible localhost -m debug -a var="ansible_password" -e "@vyos_no_connection.yml" --ask-vault-pass
|
||||||
Vault password:
|
Vault password:
|
||||||
|
|
||||||
localhost | SUCCESS => {
|
localhost | SUCCESS => {
|
||||||
"ansible_ssh_pass": "VyOS_SSH_password"
|
"ansible_password": "VyOS_SSH_password"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -80,7 +80,7 @@ Because Ansible is a flexible tool, there are a number of ways to specify connec
|
||||||
ansible_become_method=enable
|
ansible_become_method=enable
|
||||||
ansible_network_os=eos
|
ansible_network_os=eos
|
||||||
ansible_user=my_eos_user
|
ansible_user=my_eos_user
|
||||||
ansible_ssh_pass= !vault |
|
ansible_password= !vault |
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
37373735393636643261383066383235363664386633386432343236663533343730353361653735
|
37373735393636643261383066383235363664386633386432343236663533343730353361653735
|
||||||
6131363539383931353931653533356337353539373165320a316465383138636532343463633236
|
6131363539383931353931653533356337353539373165320a316465383138636532343463633236
|
||||||
|
@ -98,7 +98,7 @@ Because Ansible is a flexible tool, there are a number of ways to specify connec
|
||||||
ansible_become_method=enable
|
ansible_become_method=enable
|
||||||
ansible_network_os=ios
|
ansible_network_os=ios
|
||||||
ansible_user=my_ios_user
|
ansible_user=my_ios_user
|
||||||
ansible_ssh_pass= !vault |
|
ansible_password= !vault |
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
34623431313336343132373235313066376238386138316466636437653938623965383732373130
|
34623431313336343132373235313066376238386138316466636437653938623965383732373130
|
||||||
3466363834613161386538393463663861636437653866620a373136356366623765373530633735
|
3466363834613161386538393463663861636437653866620a373136356366623765373530633735
|
||||||
|
@ -114,7 +114,7 @@ Because Ansible is a flexible tool, there are a number of ways to specify connec
|
||||||
[vyos:vars]
|
[vyos:vars]
|
||||||
ansible_network_os=vyos
|
ansible_network_os=vyos
|
||||||
ansible_user=my_vyos_user
|
ansible_user=my_vyos_user
|
||||||
ansible_ssh_pass= !vault |
|
ansible_password= !vault |
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
39336231636137663964343966653162353431333566633762393034646462353062633264303765
|
39336231636137663964343966653162353431333566633762393034646462353062633264303765
|
||||||
6331643066663534383564343537343334633031656538370a333737656236393835383863306466
|
6331643066663534383564343537343334633031656538370a333737656236393835383863306466
|
||||||
|
@ -122,7 +122,7 @@ Because Ansible is a flexible tool, there are a number of ways to specify connec
|
||||||
3665626431626532630a353564323566316162613432373738333064366130303637616239396438
|
3665626431626532630a353564323566316162613432373738333064366130303637616239396438
|
||||||
9853
|
9853
|
||||||
|
|
||||||
If you use ssh-agent, you do not need the ``ansible_ssh_pass`` lines. If you use ssh keys, but not ssh-agent, and you have multiple keys, specify the key to use for each connection in the ``[group:vars]`` section with ``ansible_ssh_private_key_file=/path/to/correct/key``. For more information on ``ansible_ssh_`` options see the :ref:`behavioral_parameters`.
|
If you use ssh-agent, you do not need the ``ansible_password`` lines. If you use ssh keys, but not ssh-agent, and you have multiple keys, specify the key to use for each connection in the ``[group:vars]`` section with ``ansible_ssh_private_key_file=/path/to/correct/key``. For more information on ``ansible_ssh_`` options see the :ref:`behavioral_parameters`.
|
||||||
|
|
||||||
.. FIXME FUTURE Gundalow - Link to network auth & proxy page (to be written)
|
.. FIXME FUTURE Gundalow - Link to network auth & proxy page (to be written)
|
||||||
|
|
||||||
|
@ -137,7 +137,7 @@ The "Vault" feature of Ansible allows you to keep sensitive data such as passwor
|
||||||
Informs Ansible which Network platform this hosts corresponds to. This is required when using ``network_cli`` or ``netconf``.
|
Informs Ansible which Network platform this hosts corresponds to. This is required when using ``network_cli`` or ``netconf``.
|
||||||
:ansible_user: The user to connect to the remote device (switch) as. Without this the user that is running ``ansible-playbook`` would be used.
|
:ansible_user: The user to connect to the remote device (switch) as. Without this the user that is running ``ansible-playbook`` would be used.
|
||||||
Specifies which user on the network device the connection
|
Specifies which user on the network device the connection
|
||||||
:ansible_ssh_pass:
|
:ansible_password:
|
||||||
The corresponding password for ``ansible_user`` to log in as. If not specified SSH key will be used.
|
The corresponding password for ``ansible_user`` to log in as. If not specified SSH key will be used.
|
||||||
:ansible_become:
|
:ansible_become:
|
||||||
If enable mode (privilege mode) should be used, see the next section.
|
If enable mode (privilege mode) should be used, see the next section.
|
||||||
|
|
|
@ -703,7 +703,7 @@ Example Ansible inventory file
|
||||||
ansible_connection=netconf
|
ansible_connection=netconf
|
||||||
ansible_network_os=junos
|
ansible_network_os=junos
|
||||||
ansible_user=myuser
|
ansible_user=myuser
|
||||||
ansible_ssh_pass=!vault...
|
ansible_password=!vault...
|
||||||
|
|
||||||
|
|
||||||
.. note:: Using ``ProxyCommand`` with passwords via variables
|
.. note:: Using ``ProxyCommand`` with passwords via variables
|
||||||
|
|
|
@ -27,7 +27,7 @@ Connections Available
|
||||||
+---------------------------+-----------------------------------------------+
|
+---------------------------+-----------------------------------------------+
|
||||||
| | **Enable Mode** | | supported - use ``ansible_become: yes`` |
|
| | **Enable Mode** | | supported - use ``ansible_become: yes`` |
|
||||||
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
|
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
|
||||||
| | | | and ``ansible_become_pass:`` |
|
| | | | and ``ansible_become_password:`` |
|
||||||
+---------------------------+-----------------------------------------------+
|
+---------------------------+-----------------------------------------------+
|
||||||
| **Returned Data Format** | ``stdout[0].`` |
|
| **Returned Data Format** | ``stdout[0].`` |
|
||||||
+---------------------------+-----------------------------------------------+
|
+---------------------------+-----------------------------------------------+
|
||||||
|
@ -45,14 +45,14 @@ Example CLI ``group_vars/cnos.yml``
|
||||||
ansible_connection: network_cli
|
ansible_connection: network_cli
|
||||||
ansible_network_os: cnos
|
ansible_network_os: cnos
|
||||||
ansible_user: myuser
|
ansible_user: myuser
|
||||||
ansible_ssh_pass: !vault...
|
ansible_password: !vault...
|
||||||
ansible_become: yes
|
ansible_become: yes
|
||||||
ansible_become_method: enable
|
ansible_become_method: enable
|
||||||
ansible_become_pass: !vault...
|
ansible_become_password: !vault...
|
||||||
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
||||||
|
|
||||||
|
|
||||||
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
|
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
|
||||||
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
||||||
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
||||||
|
|
||||||
|
|
|
@ -27,7 +27,7 @@ Connections Available
|
||||||
+---------------------------+-----------------------------------------------+
|
+---------------------------+-----------------------------------------------+
|
||||||
| | **Enable Mode** | | supported - use ``ansible_become: yes`` |
|
| | **Enable Mode** | | supported - use ``ansible_become: yes`` |
|
||||||
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
|
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
|
||||||
| | | | and ``ansible_become_pass:`` |
|
| | | | and ``ansible_become_password:`` |
|
||||||
+---------------------------+-----------------------------------------------+
|
+---------------------------+-----------------------------------------------+
|
||||||
| **Returned Data Format** | ``stdout[0].`` |
|
| **Returned Data Format** | ``stdout[0].`` |
|
||||||
+---------------------------+-----------------------------------------------+
|
+---------------------------+-----------------------------------------------+
|
||||||
|
@ -45,14 +45,14 @@ Example CLI ``group_vars/dellos10.yml``
|
||||||
ansible_connection: network_cli
|
ansible_connection: network_cli
|
||||||
ansible_network_os: dellos10
|
ansible_network_os: dellos10
|
||||||
ansible_user: myuser
|
ansible_user: myuser
|
||||||
ansible_ssh_pass: !vault...
|
ansible_password: !vault...
|
||||||
ansible_become: yes
|
ansible_become: yes
|
||||||
ansible_become_method: enable
|
ansible_become_method: enable
|
||||||
ansible_become_pass: !vault...
|
ansible_become_password: !vault...
|
||||||
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
||||||
|
|
||||||
|
|
||||||
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
|
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
|
||||||
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
||||||
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
||||||
|
|
||||||
|
|
|
@ -27,7 +27,7 @@ Connections Available
|
||||||
+---------------------------+-----------------------------------------------+
|
+---------------------------+-----------------------------------------------+
|
||||||
| | **Enable Mode** | | supported - use ``ansible_become: yes`` |
|
| | **Enable Mode** | | supported - use ``ansible_become: yes`` |
|
||||||
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
|
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
|
||||||
| | | | and ``ansible_become_pass:`` |
|
| | | | and ``ansible_become_password:`` |
|
||||||
+---------------------------+-----------------------------------------------+
|
+---------------------------+-----------------------------------------------+
|
||||||
| **Returned Data Format** | ``stdout[0].`` |
|
| **Returned Data Format** | ``stdout[0].`` |
|
||||||
+---------------------------+-----------------------------------------------+
|
+---------------------------+-----------------------------------------------+
|
||||||
|
@ -45,14 +45,14 @@ Example CLI ``group_vars/dellos6.yml``
|
||||||
ansible_connection: network_cli
|
ansible_connection: network_cli
|
||||||
ansible_network_os: dellos6
|
ansible_network_os: dellos6
|
||||||
ansible_user: myuser
|
ansible_user: myuser
|
||||||
ansible_ssh_pass: !vault...
|
ansible_password: !vault...
|
||||||
ansible_become: yes
|
ansible_become: yes
|
||||||
ansible_become_method: enable
|
ansible_become_method: enable
|
||||||
ansible_become_pass: !vault...
|
ansible_become_password: !vault...
|
||||||
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
||||||
|
|
||||||
|
|
||||||
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
|
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
|
||||||
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
||||||
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
||||||
|
|
||||||
|
|
|
@ -27,7 +27,7 @@ Connections Available
|
||||||
+---------------------------+-----------------------------------------------+
|
+---------------------------+-----------------------------------------------+
|
||||||
| | **Enable Mode** | | supported - use ``ansible_become: yes`` |
|
| | **Enable Mode** | | supported - use ``ansible_become: yes`` |
|
||||||
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
|
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
|
||||||
| | | | and ``ansible_become_pass:`` |
|
| | | | and ``ansible_become_password:`` |
|
||||||
+---------------------------+-----------------------------------------------+
|
+---------------------------+-----------------------------------------------+
|
||||||
| **Returned Data Format** | ``stdout[0].`` |
|
| **Returned Data Format** | ``stdout[0].`` |
|
||||||
+---------------------------+-----------------------------------------------+
|
+---------------------------+-----------------------------------------------+
|
||||||
|
@ -45,14 +45,14 @@ Example CLI ``group_vars/dellos9.yml``
|
||||||
ansible_connection: network_cli
|
ansible_connection: network_cli
|
||||||
ansible_network_os: dellos9
|
ansible_network_os: dellos9
|
||||||
ansible_user: myuser
|
ansible_user: myuser
|
||||||
ansible_ssh_pass: !vault...
|
ansible_password: !vault...
|
||||||
ansible_become: yes
|
ansible_become: yes
|
||||||
ansible_become_method: enable
|
ansible_become_method: enable
|
||||||
ansible_become_pass: !vault...
|
ansible_become_password: !vault...
|
||||||
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
||||||
|
|
||||||
|
|
||||||
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
|
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
|
||||||
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
||||||
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
||||||
|
|
||||||
|
|
|
@ -27,7 +27,7 @@ Connections Available
|
||||||
+---------------------------+-----------------------------------------------+
|
+---------------------------+-----------------------------------------------+
|
||||||
| | **Enable Mode** | | supported - use ``ansible_become: yes`` |
|
| | **Enable Mode** | | supported - use ``ansible_become: yes`` |
|
||||||
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
|
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
|
||||||
| | | | and ``ansible_become_pass:`` |
|
| | | | and ``ansible_become_password:`` |
|
||||||
+---------------------------+-----------------------------------------------+
|
+---------------------------+-----------------------------------------------+
|
||||||
| **Returned Data Format** | ``stdout[0].`` |
|
| **Returned Data Format** | ``stdout[0].`` |
|
||||||
+---------------------------+-----------------------------------------------+
|
+---------------------------+-----------------------------------------------+
|
||||||
|
@ -45,14 +45,14 @@ Example CLI ``group_vars/enos.yml``
|
||||||
ansible_connection: network_cli
|
ansible_connection: network_cli
|
||||||
ansible_network_os: enos
|
ansible_network_os: enos
|
||||||
ansible_user: myuser
|
ansible_user: myuser
|
||||||
ansible_ssh_pass: !vault...
|
ansible_password: !vault...
|
||||||
ansible_become: yes
|
ansible_become: yes
|
||||||
ansible_become_method: enable
|
ansible_become_method: enable
|
||||||
ansible_become_pass: !vault...
|
ansible_become_password: !vault...
|
||||||
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
||||||
|
|
||||||
|
|
||||||
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
|
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
|
||||||
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
||||||
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
||||||
|
|
||||||
|
|
|
@ -52,14 +52,14 @@ Example CLI ``group_vars/eos.yml``
|
||||||
ansible_connection: network_cli
|
ansible_connection: network_cli
|
||||||
ansible_network_os: eos
|
ansible_network_os: eos
|
||||||
ansible_user: myuser
|
ansible_user: myuser
|
||||||
ansible_ssh_pass: !vault...
|
ansible_password: !vault...
|
||||||
ansible_become: yes
|
ansible_become: yes
|
||||||
ansible_become_method: enable
|
ansible_become_method: enable
|
||||||
ansible_become_pass: !vault...
|
ansible_become_password: !vault...
|
||||||
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
||||||
|
|
||||||
|
|
||||||
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
|
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
|
||||||
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
||||||
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
||||||
|
|
||||||
|
@ -106,7 +106,7 @@ Example eAPI ``group_vars/eos.yml``
|
||||||
ansible_connection: httpapi
|
ansible_connection: httpapi
|
||||||
ansible_network_os: eos
|
ansible_network_os: eos
|
||||||
ansible_user: myuser
|
ansible_user: myuser
|
||||||
ansible_ssh_pass: !vault...
|
ansible_password: !vault...
|
||||||
ansible_become: yes
|
ansible_become: yes
|
||||||
ansible_become_method: enable
|
ansible_become_method: enable
|
||||||
proxy_env:
|
proxy_env:
|
||||||
|
@ -140,7 +140,7 @@ eAPI examples with ``connection: local``
|
||||||
ansible_connection: local
|
ansible_connection: local
|
||||||
ansible_network_os: eos
|
ansible_network_os: eos
|
||||||
ansible_user: myuser
|
ansible_user: myuser
|
||||||
ansible_ssh_pass: !vault...
|
ansible_password: !vault...
|
||||||
eapi:
|
eapi:
|
||||||
host: "{{ inventory_hostname }}"
|
host: "{{ inventory_hostname }}"
|
||||||
transport: eapi
|
transport: eapi
|
||||||
|
|
|
@ -47,11 +47,11 @@ Example CLI ``group_vars/exos.yml``
|
||||||
ansible_connection: network_cli
|
ansible_connection: network_cli
|
||||||
ansible_network_os: exos
|
ansible_network_os: exos
|
||||||
ansible_user: myuser
|
ansible_user: myuser
|
||||||
ansible_ssh_pass: !vault...
|
ansible_password: !vault...
|
||||||
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
||||||
|
|
||||||
|
|
||||||
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
|
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
|
||||||
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
||||||
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
||||||
|
|
||||||
|
|
|
@ -27,7 +27,7 @@ Connections Available
|
||||||
+---------------------------+-----------------------------------------------+
|
+---------------------------+-----------------------------------------------+
|
||||||
| | **Enable Mode** | | supported - use ``ansible_become: yes`` |
|
| | **Enable Mode** | | supported - use ``ansible_become: yes`` |
|
||||||
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
|
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
|
||||||
| | | | and ``ansible_become_pass:`` |
|
| | | | and ``ansible_become_password:`` |
|
||||||
+---------------------------+-----------------------------------------------+
|
+---------------------------+-----------------------------------------------+
|
||||||
| **Returned Data Format** | ``stdout[0].`` |
|
| **Returned Data Format** | ``stdout[0].`` |
|
||||||
+---------------------------+-----------------------------------------------+
|
+---------------------------+-----------------------------------------------+
|
||||||
|
@ -45,14 +45,14 @@ Example CLI ``group_vars/ios.yml``
|
||||||
ansible_connection: network_cli
|
ansible_connection: network_cli
|
||||||
ansible_network_os: ios
|
ansible_network_os: ios
|
||||||
ansible_user: myuser
|
ansible_user: myuser
|
||||||
ansible_ssh_pass: !vault...
|
ansible_password: !vault...
|
||||||
ansible_become: yes
|
ansible_become: yes
|
||||||
ansible_become_method: enable
|
ansible_become_method: enable
|
||||||
ansible_become_pass: !vault...
|
ansible_become_password: !vault...
|
||||||
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
||||||
|
|
||||||
|
|
||||||
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
|
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
|
||||||
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
||||||
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
||||||
|
|
||||||
|
|
|
@ -27,7 +27,7 @@ Connections Available
|
||||||
+---------------------------+-----------------------------------------------+
|
+---------------------------+-----------------------------------------------+
|
||||||
| | **Enable Mode** | | supported - use ``ansible_become: yes`` |
|
| | **Enable Mode** | | supported - use ``ansible_become: yes`` |
|
||||||
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
|
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` |
|
||||||
| | | | and ``ansible_become_pass:`` |
|
| | | | and ``ansible_become_password:`` |
|
||||||
+---------------------------+-----------------------------------------------+
|
+---------------------------+-----------------------------------------------+
|
||||||
| **Returned Data Format** | ``stdout[0].`` |
|
| **Returned Data Format** | ``stdout[0].`` |
|
||||||
+---------------------------+-----------------------------------------------+
|
+---------------------------+-----------------------------------------------+
|
||||||
|
@ -45,14 +45,14 @@ Example CLI ``group_vars/mlx.yml``
|
||||||
ansible_connection: network_cli
|
ansible_connection: network_cli
|
||||||
ansible_network_os: ironware
|
ansible_network_os: ironware
|
||||||
ansible_user: myuser
|
ansible_user: myuser
|
||||||
ansible_ssh_pass: !vault...
|
ansible_password: !vault...
|
||||||
ansible_become: yes
|
ansible_become: yes
|
||||||
ansible_become_method: enable
|
ansible_become_method: enable
|
||||||
ansible_become_pass: !vault...
|
ansible_become_password: !vault...
|
||||||
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
||||||
|
|
||||||
|
|
||||||
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
|
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
|
||||||
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
||||||
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
||||||
|
|
||||||
|
|
|
@ -46,11 +46,11 @@ Example CLI inventory ``[junos:vars]``
|
||||||
ansible_connection=network_cli
|
ansible_connection=network_cli
|
||||||
ansible_network_os=junos
|
ansible_network_os=junos
|
||||||
ansible_user=myuser
|
ansible_user=myuser
|
||||||
ansible_ssh_pass=!vault...
|
ansible_password=!vault...
|
||||||
ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
||||||
|
|
||||||
|
|
||||||
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
|
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
|
||||||
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
||||||
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
||||||
|
|
||||||
|
@ -96,7 +96,7 @@ Example NETCONF inventory ``[junos:vars]``
|
||||||
ansible_connection=netconf
|
ansible_connection=netconf
|
||||||
ansible_network_os=junos
|
ansible_network_os=junos
|
||||||
ansible_user=myuser
|
ansible_user=myuser
|
||||||
ansible_ssh_pass=!vault |
|
ansible_password=!vault |
|
||||||
ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -59,7 +59,7 @@ Example NETCONF inventory ``[junos:vars]``
|
||||||
ansible_connection=netconf
|
ansible_connection=netconf
|
||||||
ansible_network_os=junos
|
ansible_network_os=junos
|
||||||
ansible_user=myuser
|
ansible_user=myuser
|
||||||
ansible_ssh_pass=!vault |
|
ansible_password=!vault |
|
||||||
|
|
||||||
|
|
||||||
Example NETCONF Task
|
Example NETCONF Task
|
||||||
|
|
|
@ -47,11 +47,11 @@ Example CLI ``group_vars/nos.yml``
|
||||||
ansible_connection: network_cli
|
ansible_connection: network_cli
|
||||||
ansible_network_os: nos
|
ansible_network_os: nos
|
||||||
ansible_user: myuser
|
ansible_user: myuser
|
||||||
ansible_ssh_pass: !vault...
|
ansible_password: !vault...
|
||||||
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
||||||
|
|
||||||
|
|
||||||
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
|
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
|
||||||
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
||||||
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
||||||
|
|
||||||
|
|
|
@ -29,7 +29,7 @@ Connections Available
|
||||||
+---------------------------+-----------------------------------------------+-----------------------------------------+
|
+---------------------------+-----------------------------------------------+-----------------------------------------+
|
||||||
| | **Enable Mode** | | supported - use ``ansible_become: yes`` | | not supported by NX-API |
|
| | **Enable Mode** | | supported - use ``ansible_become: yes`` | | not supported by NX-API |
|
||||||
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` | | |
|
| | (Privilege Escalation) | | with ``ansible_become_method: enable`` | | |
|
||||||
| | supported as of 2.5.3 | | and ``ansible_become_pass:`` | | |
|
| | supported as of 2.5.3 | | and ``ansible_become_password:`` | | |
|
||||||
+---------------------------+-----------------------------------------------+-----------------------------------------+
|
+---------------------------+-----------------------------------------------+-----------------------------------------+
|
||||||
| **Returned Data Format** | ``stdout[0].`` | ``stdout[0].messages[0].`` |
|
| **Returned Data Format** | ``stdout[0].`` | ``stdout[0].messages[0].`` |
|
||||||
+---------------------------+-----------------------------------------------+-----------------------------------------+
|
+---------------------------+-----------------------------------------------+-----------------------------------------+
|
||||||
|
@ -47,14 +47,14 @@ Example CLI ``group_vars/nxos.yml``
|
||||||
ansible_connection: network_cli
|
ansible_connection: network_cli
|
||||||
ansible_network_os: nxos
|
ansible_network_os: nxos
|
||||||
ansible_user: myuser
|
ansible_user: myuser
|
||||||
ansible_ssh_pass: !vault...
|
ansible_password: !vault...
|
||||||
ansible_become: yes
|
ansible_become: yes
|
||||||
ansible_become_method: enable
|
ansible_become_method: enable
|
||||||
ansible_become_pass: !vault...
|
ansible_become_password: !vault...
|
||||||
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
||||||
|
|
||||||
|
|
||||||
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
|
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
|
||||||
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
||||||
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
||||||
|
|
||||||
|
@ -99,7 +99,7 @@ Example NX-API ``group_vars/nxos.yml``
|
||||||
ansible_connection: httpapi
|
ansible_connection: httpapi
|
||||||
ansible_network_os: nxos
|
ansible_network_os: nxos
|
||||||
ansible_user: myuser
|
ansible_user: myuser
|
||||||
ansible_ssh_pass: !vault...
|
ansible_password: !vault...
|
||||||
proxy_env:
|
proxy_env:
|
||||||
http_proxy: http://proxy.example.com:8080
|
http_proxy: http://proxy.example.com:8080
|
||||||
|
|
||||||
|
|
|
@ -40,14 +40,14 @@ Example CLI ``group_vars/routeros.yml``
|
||||||
ansible_connection: network_cli
|
ansible_connection: network_cli
|
||||||
ansible_network_os: routeros
|
ansible_network_os: routeros
|
||||||
ansible_user: myuser
|
ansible_user: myuser
|
||||||
ansible_ssh_pass: !vault...
|
ansible_password: !vault...
|
||||||
ansible_become: yes
|
ansible_become: yes
|
||||||
ansible_become_method: enable
|
ansible_become_method: enable
|
||||||
ansible_become_pass: !vault...
|
ansible_become_password: !vault...
|
||||||
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
||||||
|
|
||||||
|
|
||||||
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
|
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
|
||||||
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
||||||
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
||||||
|
|
||||||
|
|
|
@ -47,11 +47,11 @@ Example CLI ``group_vars/slxos.yml``
|
||||||
ansible_connection: network_cli
|
ansible_connection: network_cli
|
||||||
ansible_network_os: slxos
|
ansible_network_os: slxos
|
||||||
ansible_user: myuser
|
ansible_user: myuser
|
||||||
ansible_ssh_pass: !vault...
|
ansible_password: !vault...
|
||||||
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
||||||
|
|
||||||
|
|
||||||
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
|
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
|
||||||
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
||||||
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
||||||
|
|
||||||
|
|
|
@ -49,11 +49,11 @@ Example CLI ``group_vars/voss.yml``
|
||||||
ansible_user: myuser
|
ansible_user: myuser
|
||||||
ansible_become: yes
|
ansible_become: yes
|
||||||
ansible_become_method: enable
|
ansible_become_method: enable
|
||||||
ansible_ssh_pass: !vault...
|
ansible_password: !vault...
|
||||||
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
|
||||||
|
|
||||||
|
|
||||||
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_ssh_pass`` configuration.
|
- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration.
|
||||||
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration.
|
||||||
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords via environment variables.
|
||||||
|
|
||||||
|
|
|
@ -167,6 +167,13 @@ Noteworthy module changes
|
||||||
Plugins
|
Plugins
|
||||||
=======
|
=======
|
||||||
|
|
||||||
|
* Connection plugins have been standardized to allow use of ``ansible_<conn-type>_user``
|
||||||
|
and ``ansible_<conn-type>_password`` variables. Variables such as
|
||||||
|
``ansible_<conn-type>_pass`` and ``ansible_<conn-type>_username`` are treated
|
||||||
|
with lower priority than the standardized names and may be deprecated in the
|
||||||
|
future. In general, the ``ansible_user`` and ``ansible_password`` vars should
|
||||||
|
be used unless there is a reason to use the connection-specific variables.
|
||||||
|
|
||||||
* The ``powershell`` shell plugin now uses ``async_dir`` to define the async path for the results file and the default
|
* The ``powershell`` shell plugin now uses ``async_dir`` to define the async path for the results file and the default
|
||||||
has changed to ``%USERPROFILE%\.ansible_async``. To control this path now, either set the ``ansible_async_dir``
|
has changed to ``%USERPROFILE%\.ansible_async``. To control this path now, either set the ``ansible_async_dir``
|
||||||
variable or the ``async_dir`` value in the ``powershell`` section of the config ini.
|
variable or the ``async_dir`` value in the ``powershell`` section of the config ini.
|
||||||
|
|
|
@ -135,7 +135,7 @@ So let us assume we have our target configured in the inventory using the FQDN n
|
||||||
my-apic-1:
|
my-apic-1:
|
||||||
ansible_host: apic01.fqdn.intra
|
ansible_host: apic01.fqdn.intra
|
||||||
ansible_user: admin
|
ansible_user: admin
|
||||||
ansible_pass: my-password
|
ansible_password: my-password
|
||||||
|
|
||||||
One way to set this up is to add to every task the directive: ``delegate_to: localhost``.
|
One way to set this up is to add to every task the directive: ``delegate_to: localhost``.
|
||||||
|
|
||||||
|
@ -146,7 +146,7 @@ One way to set this up is to add to every task the directive: ``delegate_to: loc
|
||||||
aci_tenant:
|
aci_tenant:
|
||||||
host: '{{ ansible_host }}'
|
host: '{{ ansible_host }}'
|
||||||
username: '{{ ansible_user }}'
|
username: '{{ ansible_user }}'
|
||||||
password: '{{ ansible_pass }}'
|
password: '{{ ansible_password }}'
|
||||||
|
|
||||||
state: query
|
state: query
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
|
@ -168,7 +168,7 @@ In this case the inventory may look like this:
|
||||||
my-apic-1:
|
my-apic-1:
|
||||||
ansible_host: apic01.fqdn.intra
|
ansible_host: apic01.fqdn.intra
|
||||||
ansible_user: admin
|
ansible_user: admin
|
||||||
ansible_pass: my-password
|
ansible_password: my-password
|
||||||
ansible_connection: local
|
ansible_connection: local
|
||||||
|
|
||||||
But used tasks do not need anything special added.
|
But used tasks do not need anything special added.
|
||||||
|
@ -179,7 +179,7 @@ But used tasks do not need anything special added.
|
||||||
aci_tenant:
|
aci_tenant:
|
||||||
host: '{{ ansible_host }}'
|
host: '{{ ansible_host }}'
|
||||||
username: '{{ ansible_user }}'
|
username: '{{ ansible_user }}'
|
||||||
password: '{{ ansible_pass }}'
|
password: '{{ ansible_password }}'
|
||||||
|
|
||||||
state: query
|
state: query
|
||||||
register: all_tenants
|
register: all_tenants
|
||||||
|
|
|
@ -130,7 +130,7 @@ The rax module returns data about the nodes it creates, like IP addresses, hostn
|
||||||
add_host:
|
add_host:
|
||||||
hostname: "{{ item.name }}"
|
hostname: "{{ item.name }}"
|
||||||
ansible_host: "{{ item.rax_accessipv4 }}"
|
ansible_host: "{{ item.rax_accessipv4 }}"
|
||||||
ansible_ssh_pass: "{{ item.rax_adminpass }}"
|
ansible_password: "{{ item.rax_adminpass }}"
|
||||||
groups: raxhosts
|
groups: raxhosts
|
||||||
loop: "{{ rax.success }}"
|
loop: "{{ rax.success }}"
|
||||||
when: rax.action == 'create'
|
when: rax.action == 'create'
|
||||||
|
@ -511,7 +511,7 @@ Build a complete webserver environment with servers, custom networks and load ba
|
||||||
add_host:
|
add_host:
|
||||||
hostname: "{{ item.name }}"
|
hostname: "{{ item.name }}"
|
||||||
ansible_host: "{{ item.rax_accessipv4 }}"
|
ansible_host: "{{ item.rax_accessipv4 }}"
|
||||||
ansible_ssh_pass: "{{ item.rax_adminpass }}"
|
ansible_password: "{{ item.rax_adminpass }}"
|
||||||
ansible_user: root
|
ansible_user: root
|
||||||
groups: web
|
groups: web
|
||||||
loop: "{{ rax.success }}"
|
loop: "{{ rax.success }}"
|
||||||
|
@ -592,7 +592,7 @@ Using a Control Machine
|
||||||
add_host:
|
add_host:
|
||||||
hostname: "{{ item.name }}"
|
hostname: "{{ item.name }}"
|
||||||
ansible_host: "{{ item.rax_accessipv4 }}"
|
ansible_host: "{{ item.rax_accessipv4 }}"
|
||||||
ansible_ssh_pass: "{{ item.rax_adminpass }}"
|
ansible_password: "{{ item.rax_adminpass }}"
|
||||||
ansible_user: root
|
ansible_user: root
|
||||||
rax_id: "{{ item.rax_id }}"
|
rax_id: "{{ item.rax_id }}"
|
||||||
groups: web,new_web
|
groups: web,new_web
|
||||||
|
|
|
@ -73,7 +73,7 @@ ansible_become_method
|
||||||
ansible_become_user
|
ansible_become_user
|
||||||
set the user you become through privilege escalation; does not imply ``ansible_become: yes``
|
set the user you become through privilege escalation; does not imply ``ansible_become: yes``
|
||||||
|
|
||||||
ansible_become_pass
|
ansible_become_password
|
||||||
set the privilege escalation password. See :doc:`playbooks_vault` for details on how to avoid having secrets in plain text
|
set the privilege escalation password. See :doc:`playbooks_vault` for details on how to avoid having secrets in plain text
|
||||||
|
|
||||||
For example, if you want to run all tasks as ``root`` on a server named ``webserver``, but you can only connect as the ``manager`` user, you could use an inventory entry like this::
|
For example, if you want to run all tasks as ``root`` on a server named ``webserver``, but you can only connect as the ``manager`` user, you could use an inventory entry like this::
|
||||||
|
@ -298,7 +298,7 @@ Passwords for enable mode
|
||||||
If you need a password to enter ``enable`` mode, you can specify it in one of two ways:
|
If you need a password to enter ``enable`` mode, you can specify it in one of two ways:
|
||||||
|
|
||||||
* providing the :option:`--ask-become-pass <ansible-playbook --ask-become-pass>` command line option
|
* providing the :option:`--ask-become-pass <ansible-playbook --ask-become-pass>` command line option
|
||||||
* setting the ``ansible_become_pass`` connection variable
|
* setting the ``ansible_become_password`` connection variable
|
||||||
|
|
||||||
.. warning::
|
.. warning::
|
||||||
|
|
||||||
|
@ -553,8 +553,8 @@ option for a Scheduled Task. In this scenario, the become process will not be
|
||||||
able to access any network resources like a normal WinRM process.
|
able to access any network resources like a normal WinRM process.
|
||||||
|
|
||||||
To make a distinction between using become with no password and becoming an
|
To make a distinction between using become with no password and becoming an
|
||||||
account that has no password make sure to keep ``ansible_become_pass`` as
|
account that has no password make sure to keep ``ansible_become_password`` as
|
||||||
undefined or set ``ansible_become_pass:``.
|
undefined or set ``ansible_become_password:``.
|
||||||
|
|
||||||
.. Note:: Because there are no guarantees an existing token will exist for a
|
.. Note:: Because there are no guarantees an existing token will exist for a
|
||||||
user when Ansible runs, there's a high change the become process will only
|
user when Ansible runs, there's a high change the become process will only
|
||||||
|
@ -568,7 +568,7 @@ Accounts without a Password
|
||||||
|
|
||||||
Ansible can be used to become an account that does not have a password (like the
|
Ansible can be used to become an account that does not have a password (like the
|
||||||
``Guest`` account). To become an account without a password, set up the
|
``Guest`` account). To become an account without a password, set up the
|
||||||
variables like normal but set ``ansible_become_pass: ''``.
|
variables like normal but set ``ansible_become_password: ''``.
|
||||||
|
|
||||||
Before become can work on an account like this, the local policy
|
Before become can work on an account like this, the local policy
|
||||||
`Accounts: Limit local account use of blank passwords to console logon only <https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852174(v=ws.11)>`_
|
`Accounts: Limit local account use of blank passwords to console logon only <https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852174(v=ws.11)>`_
|
||||||
|
@ -586,7 +586,7 @@ or with this Ansible task:
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
.. Note:: This is only for accounts that do not have a password. You still need
|
.. Note:: This is only for accounts that do not have a password. You still need
|
||||||
to set the account's password under ``ansible_become_pass`` if the
|
to set the account's password under ``ansible_become_password`` if the
|
||||||
become_user has a password.
|
become_user has a password.
|
||||||
|
|
||||||
Become Flags
|
Become Flags
|
||||||
|
@ -661,7 +661,7 @@ Here are some examples of how to use ``become_flags`` with Windows tasks:
|
||||||
ansible_become: yes
|
ansible_become: yes
|
||||||
ansible_become_method: runas
|
ansible_become_method: runas
|
||||||
ansible_become_user: DOMAIN\user
|
ansible_become_user: DOMAIN\user
|
||||||
ansible_become_pass: Password01
|
ansible_become_password: Password01
|
||||||
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
|
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
|
||||||
|
|
||||||
- name: run a command under a batch logon
|
- name: run a command under a batch logon
|
||||||
|
|
|
@ -515,15 +515,15 @@ General for all connections:
|
||||||
ansible_host
|
ansible_host
|
||||||
The name of the host to connect to, if different from the alias you wish to give to it.
|
The name of the host to connect to, if different from the alias you wish to give to it.
|
||||||
ansible_port
|
ansible_port
|
||||||
The ssh port number, if not 22
|
The connection port number, if not the default (22 for ssh)
|
||||||
ansible_user
|
ansible_user
|
||||||
The default ssh user name to use.
|
The user name to use when connecting to the host
|
||||||
|
ansible_password
|
||||||
|
The password to use to authenticate to the host (never store this variable in plain text; always use a vault. See :ref:`best_practices_for_variables_and_vaults`)
|
||||||
|
|
||||||
|
|
||||||
Specific to the SSH connection:
|
Specific to the SSH connection:
|
||||||
|
|
||||||
ansible_ssh_pass
|
|
||||||
The ssh password to use (never store this variable in plain text; always use a vault. See :ref:`best_practices_for_variables_and_vaults`)
|
|
||||||
ansible_ssh_private_key_file
|
ansible_ssh_private_key_file
|
||||||
Private key file used by ssh. Useful if using multiple keys and you don't want to use SSH agent.
|
Private key file used by ssh. Useful if using multiple keys and you don't want to use SSH agent.
|
||||||
ansible_ssh_common_args
|
ansible_ssh_common_args
|
||||||
|
@ -550,8 +550,8 @@ ansible_become_method
|
||||||
Allows to set privilege escalation method
|
Allows to set privilege escalation method
|
||||||
ansible_become_user
|
ansible_become_user
|
||||||
Equivalent to ``ansible_sudo_user`` or ``ansible_su_user``, allows to set the user you become through privilege escalation
|
Equivalent to ``ansible_sudo_user`` or ``ansible_su_user``, allows to set the user you become through privilege escalation
|
||||||
ansible_become_pass
|
ansible_become_password
|
||||||
Equivalent to ``ansible_sudo_pass`` or ``ansible_su_pass``, allows you to set the privilege escalation password (never store this variable in plain text; always use a vault. See :ref:`best_practices_for_variables_and_vaults`)
|
Equivalent to ``ansible_sudo_password`` or ``ansible_su_password``, allows you to set the privilege escalation password (never store this variable in plain text; always use a vault. See :ref:`best_practices_for_variables_and_vaults`)
|
||||||
ansible_become_exe
|
ansible_become_exe
|
||||||
Equivalent to ``ansible_sudo_exe`` or ``ansible_su_exe``, allows you to set the executable for the escalation method selected
|
Equivalent to ``ansible_sudo_exe`` or ``ansible_su_exe``, allows you to set the executable for the escalation method selected
|
||||||
ansible_become_flags
|
ansible_become_flags
|
||||||
|
|
|
@ -1047,7 +1047,7 @@ Basically, anything that goes into "role defaults" (the defaults folder inside t
|
||||||
This last one can be superceeded by the user via ``ansible_group_priority``, which defaults to ``1`` for all groups.
|
This last one can be superceeded by the user via ``ansible_group_priority``, which defaults to ``1`` for all groups.
|
||||||
This variable, ``ansible_group_priority``, can only be set in the inventory source and not in group_vars/ as the variable is used in the loading of group_vars/.
|
This variable, ``ansible_group_priority``, can only be set in the inventory source and not in group_vars/ as the variable is used in the loading of group_vars/.
|
||||||
|
|
||||||
Another important thing to consider (for all versions) is that connection variables override config, command line and play/role/task specific options and keywords. For example, if your inventory specifies ``ansible_ssh_user: ramon`` and you run::
|
Another important thing to consider (for all versions) is that connection variables override config, command line and play/role/task specific options and keywords. For example, if your inventory specifies ``ansible_user: ramon`` and you run::
|
||||||
|
|
||||||
ansible -u lola myhost
|
ansible -u lola myhost
|
||||||
|
|
||||||
|
@ -1060,7 +1060,7 @@ For plays/tasks this is also true for ``remote_user``. Assuming the same invento
|
||||||
- command: I'll connect as ramon still
|
- command: I'll connect as ramon still
|
||||||
remote_user: lola
|
remote_user: lola
|
||||||
|
|
||||||
will have the value of ``remote_user`` overwritten by ``ansible_ssh_user`` in the inventory.
|
will have the value of ``remote_user`` overwritten by ``ansible_user`` in the inventory.
|
||||||
|
|
||||||
This is done so host-specific settings can override the general settings. These variables are normally defined per host or group in inventory,
|
This is done so host-specific settings can override the general settings. These variables are normally defined per host or group in inventory,
|
||||||
but they behave like other variables.
|
but they behave like other variables.
|
||||||
|
@ -1069,7 +1069,11 @@ If you want to override the remote user globally (even over inventory) you can u
|
||||||
|
|
||||||
ansible... -e "ansible_user=maria" -u lola
|
ansible... -e "ansible_user=maria" -u lola
|
||||||
|
|
||||||
the ``lola`` value is still ignored, but ``ansible_user=maria`` takes precedence over all other places where ``ansible_user`` (or ``ansible_ssh_user``, or ``remote_user``) might be set.
|
the ``lola`` value is still ignored, but ``ansible_user=maria`` takes precedence over all other places where ``ansible_user`` (or ``remote_user``) might be set.
|
||||||
|
|
||||||
|
A connection-specific version of a variable takes precedence over more generic
|
||||||
|
versions. For example, ``ansible_ssh_user`` specified as a group_var would have
|
||||||
|
a higher precedence than ``ansible_user`` specified as a host_var.
|
||||||
|
|
||||||
You can also override as a normal variable in a play::
|
You can also override as a normal variable in a play::
|
||||||
|
|
||||||
|
|
|
@ -184,13 +184,13 @@ class ConnectionBase(AnsiblePlugin):
|
||||||
processed on the remote machine, not on the local machine so no
|
processed on the remote machine, not on the local machine so no
|
||||||
shell is needed on the local machine. (Example, ``/bin/sh``)
|
shell is needed on the local machine. (Example, ``/bin/sh``)
|
||||||
:ConnectionCommand: This is the command that connects us to the remote
|
:ConnectionCommand: This is the command that connects us to the remote
|
||||||
machine to run the rest of the command. ``ansible_ssh_user``,
|
machine to run the rest of the command. ``ansible_user``,
|
||||||
``ansible_ssh_host`` and so forth are fed to this piece of the
|
``ansible_ssh_host`` and so forth are fed to this piece of the
|
||||||
command to connect to the correct host (Examples ``ssh``,
|
command to connect to the correct host (Examples ``ssh``,
|
||||||
``chroot``)
|
``chroot``)
|
||||||
:UsersLoginShell: This shell may or may not be created depending on
|
:UsersLoginShell: This shell may or may not be created depending on
|
||||||
the ConnectionCommand used by the connection plugin. This is the
|
the ConnectionCommand used by the connection plugin. This is the
|
||||||
shell that the ``ansible_ssh_user`` has configured as their login
|
shell that the ``ansible_user`` has configured as their login
|
||||||
shell. In traditional UNIX parlance, this is the last field of
|
shell. In traditional UNIX parlance, this is the last field of
|
||||||
a user's ``/etc/passwd`` entry We do not specifically try to run
|
a user's ``/etc/passwd`` entry We do not specifically try to run
|
||||||
the ``UsersLoginShell`` when we connect. Instead it is implicit
|
the ``UsersLoginShell`` when we connect. Instead it is implicit
|
||||||
|
|
|
@ -61,6 +61,7 @@ options:
|
||||||
vars:
|
vars:
|
||||||
- name: ansible_password
|
- name: ansible_password
|
||||||
- name: ansible_httpapi_pass
|
- name: ansible_httpapi_pass
|
||||||
|
- name: ansible_httpapi_password
|
||||||
use_ssl:
|
use_ssl:
|
||||||
type: boolean
|
type: boolean
|
||||||
description:
|
description:
|
||||||
|
|
|
@ -103,6 +103,7 @@ DOCUMENTATION = """
|
||||||
default: ''
|
default: ''
|
||||||
vars:
|
vars:
|
||||||
- name: ansible_kubectl_username
|
- name: ansible_kubectl_username
|
||||||
|
- name: ansible_kubectl_user
|
||||||
env:
|
env:
|
||||||
- name: K8S_AUTH_USERNAME
|
- name: K8S_AUTH_USERNAME
|
||||||
kubectl_password:
|
kubectl_password:
|
||||||
|
|
|
@ -66,6 +66,7 @@ options:
|
||||||
vars:
|
vars:
|
||||||
- name: ansible_password
|
- name: ansible_password
|
||||||
- name: ansible_ssh_pass
|
- name: ansible_ssh_pass
|
||||||
|
- name: ansible_ssh_password
|
||||||
private_key_file:
|
private_key_file:
|
||||||
description:
|
description:
|
||||||
- The private SSH key or certificate file used to authenticate to the
|
- The private SSH key or certificate file used to authenticate to the
|
||||||
|
|
|
@ -67,6 +67,8 @@ options:
|
||||||
vars:
|
vars:
|
||||||
- name: ansible_password
|
- name: ansible_password
|
||||||
- name: ansible_ssh_pass
|
- name: ansible_ssh_pass
|
||||||
|
- name: ansible_ssh_password
|
||||||
|
- name: ansible_netconf_password
|
||||||
private_key_file:
|
private_key_file:
|
||||||
description:
|
description:
|
||||||
- The private SSH key or certificate file used to authenticate to the
|
- The private SSH key or certificate file used to authenticate to the
|
||||||
|
|
|
@ -63,6 +63,7 @@ options:
|
||||||
vars:
|
vars:
|
||||||
- name: ansible_password
|
- name: ansible_password
|
||||||
- name: ansible_ssh_pass
|
- name: ansible_ssh_pass
|
||||||
|
- name: ansible_ssh_password
|
||||||
private_key_file:
|
private_key_file:
|
||||||
description:
|
description:
|
||||||
- The private SSH key or certificate file used to authenticate to the
|
- The private SSH key or certificate file used to authenticate to the
|
||||||
|
|
|
@ -51,7 +51,9 @@ DOCUMENTATION = """
|
||||||
vars:
|
vars:
|
||||||
- name: ansible_password
|
- name: ansible_password
|
||||||
- name: ansible_ssh_pass
|
- name: ansible_ssh_pass
|
||||||
|
- name: ansible_ssh_password
|
||||||
- name: ansible_paramiko_pass
|
- name: ansible_paramiko_pass
|
||||||
|
- name: ansible_paramiko_password
|
||||||
version_added: '2.5'
|
version_added: '2.5'
|
||||||
host_key_auto_add:
|
host_key_auto_add:
|
||||||
description: 'TODO: write it'
|
description: 'TODO: write it'
|
||||||
|
|
|
@ -47,6 +47,7 @@ DOCUMENTATION = '''
|
||||||
vars:
|
vars:
|
||||||
- name: ansible_password
|
- name: ansible_password
|
||||||
- name: ansible_ssh_pass
|
- name: ansible_ssh_pass
|
||||||
|
- name: ansible_ssh_password
|
||||||
ssh_args:
|
ssh_args:
|
||||||
description: Arguments to pass to all ssh cli tools
|
description: Arguments to pass to all ssh cli tools
|
||||||
default: '-C -o ControlMaster=auto -o ControlPersist=60s'
|
default: '-C -o ControlMaster=auto -o ControlPersist=60s'
|
||||||
|
@ -605,7 +606,7 @@ class Connection(ConnectionBase):
|
||||||
b"-o", b"PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey",
|
b"-o", b"PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey",
|
||||||
b"-o", b"PasswordAuthentication=no"
|
b"-o", b"PasswordAuthentication=no"
|
||||||
),
|
),
|
||||||
u"ansible_password/ansible_ssh_pass not set"
|
u"ansible_password/ansible_ssh_password not set"
|
||||||
)
|
)
|
||||||
|
|
||||||
user = self._play_context.remote_user
|
user = self._play_context.remote_user
|
||||||
|
@ -924,7 +925,7 @@ class Connection(ConnectionBase):
|
||||||
|
|
||||||
if states[state] == 'awaiting_prompt':
|
if states[state] == 'awaiting_prompt':
|
||||||
if self._flags['become_prompt']:
|
if self._flags['become_prompt']:
|
||||||
display.debug('Sending become_pass in response to prompt')
|
display.debug('Sending become_password in response to prompt')
|
||||||
stdin.write(to_bytes(self._play_context.become_pass) + b'\n')
|
stdin.write(to_bytes(self._play_context.become_pass) + b'\n')
|
||||||
# On python3 stdin is a BufferedWriter, and we don't have a guarantee
|
# On python3 stdin is a BufferedWriter, and we don't have a guarantee
|
||||||
# that the write will happen without a flush
|
# that the write will happen without a flush
|
||||||
|
|
Loading…
Reference in a new issue