How to specify sudo password for Ansible at the cli (method # 1)
The syntax is:
ansible-playbook -i inventory my.yml \ --extra-vars 'ansible_become_pass=YOUR-PASSWORD-HERE'
From the security perspective typing password at the CLI argument is not a good idea. Hence, you can force ansible-playbook to ask for the password:
ansible-playbook --ask-sudo-pass -i inventory my.yml
The sudo <kbd style="box-sizing: inherit; font-size: 11px; font-family: Arial, "Helvetica Neue", Helvetica, sans-serif; display: inline-block; margin: 0px 0.1em; padding: 0.1em 0.6em; line-height: 1.4; color: rgb(36, 39, 41); text-shadow: rgb(255, 255, 255) 0px 1px 0px; background-color: rgb(225, 227, 229); border: 1px solid rgb(173, 179, 185); border-radius: 3px; box-shadow: rgba(12, 13, 14, 0.2) 0px 1px 0px, rgb(255, 255, 255) 0px 0px 0px 2px inset; white-space: nowrap;">--ask-sudo-pass</kbd> has been deprecated in favor of the “become” command line arguments, so run:
ansible-playbook --ask-become-pass -i inventory my.yml
A note about specifying ssh username and password at the CLI
The syntax is:
ansible-playbook -i inventory my.yml \ --extra-vars 'ansible_ssh_pass=YOUR-SSH-PASSWORD-HERE' \ --extra-vars='ansible_ssh_user=YOUR-SSH-USERNAME-HERE'
OR
ansible-playbook -i inventory my.yml -u YOUR-SSH-USERNAME-HERE \ --extra-vars 'ansible_ssh_pass=YOUR-SSH-PASSWORD-HERE'
Here is my sample inventory file:
[cluster:vars]
k_ver="linux-image-4.13.0-26-generic"
ansible_user=vivek # ssh login user
ansible_become=yes # use sudo
ansible_become_method=sudo
[cluster]
www1
www2
www3
db1
db2
cache1
cache2
Here is my my.yml file:
---
- hosts: cluster
tasks:
- name: Updating host using apt
apt:
update_cache: yes
upgrade: dist
- name: Update kernel to spefic version
apt:
name: "{{ k_ver }}"
state: latest
- name: Clean unwanted olderstuff
apt:
autoremove: yes
purge: yes
I ran command as follows:
ansible-playbook --ask-become-pass -i inventory my.yml
How to specify sudo password for ansible-playbook
How to store and use sudo passwed in a vault (method # 2)
First update your inventory file as follows:
[cluster:vars]
k_ver="linux-image-4.13.0-26-generic"
ansible_user=vivek # ssh login user
ansible_become=yes # use sudo
ansible_become_method=sudo
ansible_become_pass='{{ my_cluser_sudo_pass }}'
[cluster]
www1
www2
www3
db1
db2
cache1
cache2
Next create a new encrypted data file named password.yml, run the following command:
$ ansible-vault create passwd.yml
Set the password for vault. After providing a password, the tool will start whatever editor you have defined with ansible-playbook -i inventory --ask-vault-pass --extra-vars '@passwd.yml' my.yml`
How to edit my encrypted file again
ansible-vault edit passwd.yml
How to change password for my encrypted file
ansible-vault rekey passwd.yml
Disable sudo login without password on all remote servers
README: How to create a new sudo user on Ubuntu Linux server
Login to your remote box:
ssh vivek@server1.cyberciti.biz sudo -i
Make sure vivek user is part of sudo/wheel group that allowed to sudo using id command:
id vivek
Edit sudo config file using the visudo command:
sudo visudo
Make sure following line deleted or commented out:
vivek ALL=(ALL) NOPASSWD:ALL
Save and close the file.
Summary
In short use following options for the ansible-playbook command with vault or without vault file:
- -i inventory : Set path to your inventory file.
- --ask-vault-pass : Ask for vault password
- --extra-vars '@passwd.yml' – Set extra variable. In this case set path to vault file named passwd.yml.
- --ask-become-pass : Ask for sudo password
网友评论