Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you may not be able to execute some actions.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

How to lock a user using ansible?

F
fbio last edited by

Given a username, if that user exists, lock it, otherwise keep it missing.

The most likely module is ansible.builtin.user. There passing password: "*" and shell: "/usr/sbin/nologin" mostly achieves the lock behavior, but it also creates the user. The state property only has possible values present and absent, neither of which describes the desired behavior.

One can obtain a fact on the user presence using ansible.builtin.getent and then conditionally use ansible.builtin.user. Is there a better way?
Reply Quote 0
1 Reply Last reply
J
juvenalb last edited by
... mostly achieves the lock behavior, but it also creates the user. The state property only has possible values present and absent ...

Right, that would be the best approach and expected behavior.

One can obtain a fact on the user presence using ansible.builtin.getent and then conditionally use ansible.builtin.user.

And also right, this would be too the recommended approach.

In other words, currently there is no possibility to configure such within one single task and if not using shell module, custom scripts or custom modules.

Similar Q&A
- https://serverfault.com/a/1035610/448950
Reply Quote 0
1 Reply Last reply

ansible 552

2
Posts

3
Views

Suggested Topics

Z

Ansible - when statement task always return false value
Continuous Integration and Delivery (CI, CD) • ansible • • zymir

2

0
Votes

2
Posts

1
Views

M

Your statements look ok. If I create a test case from the sparse info you provided and what I can observe when gathering facts from my own hosts, I can detect old/recent distributions correctly using your conditions. See my example below. I suggest you double check the data gathered from your host to understand why it doesn't match. The easiest way for that: from the same host your use to launch your playbook, run ansible -i path/to/your_inventory.ini your_target_group_name -m setup -a "filter=ansible_distribution*" Here is the test.yml playbook I wrote to test your (known-so-far) values and your conditions --- - name: Statements for checking old/recent distribs hosts: localhost gather_facts: false vars: os_list: - ansible_distribution: "Amazon" ansible_distribution_version: "(Karoo)" ansible_distribution_major_version: "(Karoo)" - ansible_distribution: "Amazon" ansible_distribution_version: "2018.03" ansible_distribution_major_version: "2018" - ansible_distribution: "RedHat" ansible_distribution_version: "6.x" ansible_distribution_major_version: "6" - ansible_distribution: "RedHat" ansible_distribution_version: "7.x" ansible_distribution_major_version: "7" tasks: - name: Check conditions for recent distribs debug: msg: "This is a recent distrib" loop: "{{ os_list }}" loop_control: label: "{{ item.ansible_distribution }}-{{ item.ansible_distribution_version }}" when: ( item.ansible_distribution == "Amazon" and item.ansible_distribution_version == "(Karoo)" ) or ( item.ansible_distribution == "RedHat" and item.ansible_distribution_major_version == "7" ) - name: Check conditions for old distribs debug: msg: "This is an old distrib" loop: "{{ os_list }}" loop_control: label: "{{ item.ansible_distribution }}-{{ item.ansible_distribution_version }}" when: ( item.ansible_distribution == "Amazon" and item.ansible_distribution_version == "2018.03" ) or ( item.ansible_distribution == "RedHat" and item.ansible_distribution_major_version == "6" ) And the result PLAY [Statements for checking old/recent distribs] ************************************************************************************************************************************************************************ TASK [Check conditions for recent distribs] ******************************************************************************************************************************************************************************* ok: [localhost] => (item=Amazon-(Karoo)) => { "msg": "This is a recent distrib" } skipping: [localhost] => (item=Amazon-2018.03) skipping: [localhost] => (item=RedHat-6.x) ok: [localhost] => (item=RedHat-7.x) => { "msg": "This is a recent distrib" } TASK [Check conditions for old distribs] ********************************************************************************************************************************************************************************** skipping: [localhost] => (item=Amazon-(Karoo)) ok: [localhost] => (item=Amazon-2018.03) => { "msg": "This is an old distrib" } ok: [localhost] => (item=RedHat-6.x) => { "msg": "This is an old distrib" } skipping: [localhost] => (item=RedHat-7.x) PLAY RECAP **************************************************************************************************************************************************************************************************************** localhost : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 As you can see it does the job as expected. So either your data is not gathered correctly or your check the wrong values. Note: When @Vladimir Botka asks for an MCVE in the comments, this is a typical example.
C

Error 502 before execute Ansible playbook
Continuous Integration and Delivery (CI, CD) • ansible deployment • • Cleofas

2

0
Votes

2
Posts

1
Views

First - @caxcaxcoatl is completly right - your playbook is not Ansible, it is a bash script inside Ansible and that isn't Ansible. Your error doesn't have something to do with your playbook, but with that, what the playbook is doing. You're redeploying an application and then the proxy in front of the Tomcat cannot read the response from your Tomcat. So your deployment is wrong, has some failures, what ever. You should have a look at your Tomcat HTTP response (without the Proxy in front) direct on the machine (with curl, telnet or whatever). Maybe you should also check the logs of Tomcat to get the error. The proxy sends the error, because the Tomcat is answering with a 500 HTTP error code, when the proxy hits /portal-client/cm/misalud/. To give you a hint, how a playbook could look like (of course this wasn't the question, and it could be done much better then this with includes for a unspecific WAR and just call include_tasks on all available WARs in the main playbook, or with a Ansible module written in Python just giving the params of the new WAR etc.): - name: Deploy war hosts: grupo1 vars: webapps_cur "/opt/tomcat/catalina_base/webapps" webapps_old: "/opt/tomcat/catalina_base/webapps.old" tasks: - name: "Stop Tomcat" systemd: name: tomcat state: stopped - name: "Delete old Backup WARs" file: path: "{{ webapps_old }}/{{ item }}" state: absent with_items: - "portal-admin" - "portal-client" - name: "Backup the current WARs" copy: src: "{{ webapps_cur }}/{{ item }}" dest: "{{ webapps_old }}/{{ item }}" remote_src: true with_items: - "portal-admin" - "portal-client" - name: "Delete the current WARs" file: path: "{{ webapps_cur }}/{{ item }}" state: absent with_items: - "portal-admin" - "portal-client" - name: "Deploy new WARs" unarchive: src: "/tmp/{{ item }}.war" dest: "{{ webapps_cur }}/{{ item }}" user: "tomcat" group: "tomcat" with_items: - "portal-admin" - "portal-client" - name: "Start Tomcat" systemd: name: tomcat state: started
J

reboot server during Ansible tasks
Continuous Integration and Delivery (CI, CD) • linux centos ansible • • Jolied

2

0
Votes

2
Posts

1
Views

R

Use this source code for reboot your client machine --- - name: System Reboot hosts: debian become_method: sudo become_user: root become: true tasks: - name: reboot nodes # Reboot client side debian machine shell: sleep 2 && shutdown -r now "Ansible reboot" async: 1 poll: 0 ignore_errors: true - name: wait for the server to come back # when server timeout it through error. That error is handle by ignore_errors. local_action: wait_for args: host: "{{ inventory_hostname }}" port: 22 state: started delay: 120 timeout: 200 ignore_errors: true
E

Cannot pull ansible docker image
Continuous Integration and Delivery (CI, CD) • ansible • • esther

2

0
Votes

2
Posts

1
Views

D

If run you docker pull ``` , you are implicitly asking for a tag named latest. There is no such tag available from the Ansible repository. You can see a list of available tags at https://hub.docker.com/r/ansible/ansible/tags/. For example, if you wanted the fedora27py3 version of the image, you would run: docker pull ansible/ansible:fedora27py3 I note that the most recent of thoses images is 7 months old. If you're experimenting iwth Ansible you might want to just install it into a Python virtual environment.
Replacement of line in file with ansible
Software Programming • html linux ansible • • jeanid

2

0
Votes

2
Posts

0
Views

Not counting backwards at the beginning of h1 and the date, the sequence is mixed.^([ \t])+<h1 class=\"text\">POSTGRES MIRROR №2 Version:[0-9]{1,3} Date\/Time last update: ([0-9]{1,2}.[0-9]{1,2}.[0-9]{4})\/([0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2})<\/h1>$ Ansible_date_time on default of another format, use: https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html
M

Waiting for privilege escalation prompt
Continuous Integration and Delivery (CI, CD) • windows ansible • • magpie

2

0
Votes

2
Posts

1
Views

M

You don't need to be a privileged user (in your local machine) in order to execute Ansible playbook. When using become, Ansible allows you to ‘become’ another user, different from the user that logged into the machine (remote user). For more details see Understanding Privilege Escalation In your inventory of hosts /etc/ansible/host you have specified a group of IPs with root user while you are specifying a remote_user: ronenal in your playbook. So you need to run ansible-playbook with --ask-become-pass or -K.
C

How many DB instances to use? When to switch to container services?
Continuous Integration and Delivery (CI, CD) • docker azure databases infrastructure as code • • chanisef

2

0
Votes

2
Posts

1
Views

E

The choice of the approach is a risk assessment, if one of the DB client (application) goes wild and bring your server instance down, what is the cost in term of human hours lost during the outage ? If you run the DB yourself instead of managed you have to include your time costs to update it, backup it, monitoring it, etc. is it really cheaper ? All this is very company specific and need to take into account the human cost, does a staging environment down block 1 or 80 devs ? Are the devs junior or senior ? The cost per hour of outage change a lot from these simple two metrics. At the end of the day, that's a judgement on accepted risk of outage and capacity to restart versus administration time to avoid the outage for which there's no magical mathematics formula.
N

The right way to Ansiblically deploy environments directly from Github:
Continuous Integration and Delivery (CI, CD) • bash github curl ansible shell script • • Nykeriab

2

0
Votes

2
Posts

1
Views

There is no "right" or "wrong". If the commands work when you type them in, then they work, and we won't keep you from doing it. Everything else is opinion. Sure, there are some best practices, for example some people find it unwise to directly fetch scripts from a public (3rd party) website and execute those locally without having a look inside first. It goes without saying that your approach is in fact a rather significant risk. You are effectively giving root access on the target machine (and any other machine your local user has ssh keys for...) to anyone who can push into your repository. How earnest that risk is is something only you can decide.
Running consul in the background using Chef
Continuous Integration and Delivery (CI, CD) • bash process chef consul • • Bogopo

2

0
Votes

2
Posts

1
Views

S

The usual way to do that is to use a service manager (systemd or supervisord) to handle the service lifecycle (keeping the consul program running and restarting it if it fails for exemple) there's cookbooks existing to help creating those service units. The cheap alternative if you count on chef running periodically and handling that is to use nohup which is a linux program made exactly for this.
S

Execute multiple Ansible tasks with the same list of items
Continuous Integration and Delivery (CI, CD) • ansible • • simrah

2

0
Votes

2
Posts

1
Views

Make separate tasks file make_site.yml: --- - name: Install apache site conf template: src: apache-sites-{{ site }}-conf.j2 dest: /etc/apache2/sites-available/{{ site }}.conf mode: 0644 - name: Enable site apache conf command: a2ensite {{ site }} args: creates: /etc/apache2/sites-enabled/{{ site }}.conf And in your playbook: - include_tasks: make_site.yml with_items: - sitea - siteb - sitec - sited loop_control: loop_var: site
S

Use of plastics for certain hosts in Ansible
Software Programming • python ansible • • Saumya

2

0
Votes

2
Posts

0
Views

O

Use the parameter. -l♪ --limit: -l SUBSET, --limit=SUBSET further limit selected hosts to an additional pattern To describe the template (pattern) in Ansible https://docs.ansible.com/ansible/latest/intro_patterns.html#patterns :For one host or group:ansible-playbook playbook.yml -i hosts -l 'cl-node1' Some can be listed through ::ansible-playbook playbook.yml -i hosts -l 'cl-node1:cl-node2:cl-node3' The range may be indicated:ansible-playbook playbook.yml -i hosts -l 'cl-node[1-2]' We can use masks.ansible-playbook playbook.yml -i hosts -l 'cl-node*' There's also intersections, denials, and all that can be combined. Examples can be found https://docs.ansible.com/ansible/latest/intro_patterns.html#patterns ♪Besides, you can. https://docs.ansible.com/ansible/latest/intro_dynamic_inventory.html ♪ For example, in order to carry a playbook on a local car:ansible-playbook playbook.yml -i 'localhost,' Call attention, comma after. localhost It's important, because it's a list!
Value added to variable gauge
Software Programming • ansible ansible playbook • • morde

2

0
Votes

2
Posts

0
Views

Like that?# Имя модуля: - copy: # Контент означет то, что ниже можно пихать любой блок текста - он # будет записан в файл, который увказывается в "dest". # "item" - это как "i" в конструкции "for i in a b c". content: | test_ip: 111 {{ item }} 222 dest: /tmp/ip-is-{{ item }} # "test" - это ваша переменная, # которая будет играть роль того "a b c" из комментария выше with_items: - "{{ test }}"
N

How to skip rest of hosts when item found in host - Ansible
Continuous Integration and Delivery (CI, CD) • ansible • • Nykeriab

2

0
Votes

2
Posts

1
Views

A

Let's test the use-case with 10 remote hosts (test_01 - test_10) in the group test and user my-user in the hosts test_03 and test_07. To test the existence of the user, use the shell command shell> cat /etc/passwd|grep my-user ``` For example the playbook shell> cat playbook.yml - hosts: test tasks: - shell: cat /etc/passwd|grep my-user register: result ignore_errors: true - set_fact: results: "{{ results|default({})| combine({item: hostvars[item].result.rc}) }}" loop: "{{ ansible_play_hosts }}" run_once: true - debug: var: results run_once: true ``` gives ok: [test_01] => results: test_01: 1 test_02: 1 test_03: 0 test_04: 1 test_05: 1 test_06: 1 test_07: 0 test_08: 1 test_09: 1 test_10: 1 ``` To skip the rest of the hosts, when the first host is found, iterate the list of the hosts and test rc. Then add the host to a new group and run the next play with this group. For example, shell> cat playbook.yml - hosts: test vars: dresult: rc: 1 tasks: - block: - shell: cat /etc/passwd|grep my-user register: result loop: "{{ ansible_play_hosts }}" delegate_to: "{{ item }}" ignore_errors: true when: (result|default(dresult)).rc == 1 - set_fact: my_host: "{{ result.results|json_query('[?rc == `0`].item')|first }}" - debug: var: my_host - add_host: name: "{{ my_host }}" groups: my_group run_once: true hosts: my_group tasks: debug: var: inventory_hostname <p>gives</p> <pre class="lang-yaml prettyprint-override"><code>shell> ansible-playbook playbook.yml PLAY [test] **** TASK [shell] **** failed: [test_01 -> test_01] (item=test_01) => changed=true ansible_loop_var: item cmd: cat /etc/passwd|grep my-user delta: '0:00:00.023271' end: '2020-09-25 08:20:31.823168' item: test_01 msg: non-zero return code rc: 1 start: '2020-09-25 08:20:31.799897' stderr: '' stderr_lines: <omitted> stdout: '' stdout_lines: <omitted> failed: [test_01 -> test_02] (item=test_02) => changed=true ansible_loop_var: item cmd: cat /etc/passwd|grep my-user delta: '0:00:00.017642' end: '2020-09-25 08:20:33.386657' item: test_02 msg: non-zero return code rc: 1 start: '2020-09-25 08:20:33.369015' stderr: '' stderr_lines: <omitted> stdout: '' stdout_lines: <omitted> changed: [test_01 -> test_03] => (item=test_03) skipping: [test_01] => (item=test_04) skipping: [test_01] => (item=test_05) skipping: [test_01] => (item=test_06) skipping: [test_01] => (item=test_07) skipping: [test_01] => (item=test_08) skipping: [test_01] => (item=test_09) skipping: [test_01] => (item=test_10) ...ignoring TASK [set_fact] **** ok: [test_01] TASK [debug] **** ok: [test_01] => my_host: test_03 TASK [add_host] **** changed: [test_01] PLAY [my_group] **** TASK [debug] **** ok: [test_03] => inventory_hostname: test_03 PLAY RECAP ***** test_01: ok=4 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=1 test_03: ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
K

How to define constants in Ansible?
Continuous Integration and Delivery (CI, CD) • ansible • • kalyn

2

0
Votes

2
Posts

1
Views

As pointed out in the other comment, there are no constants in python. It's just a convention, but defining a variable in capitals, doesn't mean you can't reassign the value. There are many ways to pass/define variables in ansible (command line, vars in playbook, include a yaml, vars dir in a role, defaults dir, etc) however, there isn't a way to define a constant. The closest to setting a constant in the way you ask for it is setting your variables as defaults(that is defaults/main.yml inside the role structure). The defaults of a role are the type of variables that have the lowest precedence and are being overwritten by any other way you can define a var but are a great place to put a variable that is unlikely to change and won't clutter your "important" role vars. Regarding the way you define them - I'd say it's up to you. Just stick to it. I haven't seen anybody using capitals and I would probably make the variable lower case, however, since ansible provides tremendeous amount of flexibility and freedom to do what you like the way you like it, it really is up to you.
E

Using Docker images as vehicles for binary deployment artifacts
Continuous Integration and Delivery (CI, CD) • docker continuous integration • • emran

2

0
Votes

2
Posts

1
Views

I've seen it done before but wouldn't call it common. There are other artifact servers, and many git repositories have the concept of a release with artifacts that makes more sense. I suspect Docker Hub is one of many artifact servers to introduce rate limits and other usage caps, so if you do this, make sure you control (or pay for) the registry server. Otherwise the risk is you'll exceed limits and lose access to your artifacts. If you only want to copy binaries, then I'd skip the base image and use FROM scratch. It's also possible to bypass the docker engine entirely and pull the artifacts from the registry server directly to the filesystem. I have a regclient project that ships a regctl command with regctl image manifest and regctl layer pull commands. E.g.: $ regctl image manifest regclient/regctl { "schemaVersion": 2, "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "config": { "mediaType": "application/vnd.docker.container.image.v1+json", "size": 3019, "digest": "sha256:e3abac7c7ce78aaa5efddb5abedd54f8ed3077d9d5b03b5a66ecf9f4c3502454" }, "layers": [ { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 930, "digest": "sha256:41437cd6a6e3d3098329474c62ccc5bd01fcf6b41bf35f0e8c89db96110b23ac" }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 122413, "digest": "sha256:69d6afda22ccf4f223c016bfd3a108fe0a1ddd15c72978bd238b19201e0e1973" }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 161, "digest": "sha256:57dd9736a25ab0b55d9d364dc20ee0946a844a8ac72d7f986ef902826f933e89" }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 3963283, "digest": "sha256:282c5a3b4b6c8bf0b7038204919bbfc26c8b120cd87f4a1f573c12c808774c1c" } ] } $ regctl layer pull regclient/regctl sha256:282c5a3b4b6c8bf0b7038204919bbfc26c8b120cd87f4a1f573c12c808774c1c | tar -tzvf - -rwxr-xr-x root/root 10235904 2020-11-05 20:52 regctl Note that the sha's are unique and persistent, so if that hash is unchanged there's no need to pull the binary again. And the above example has a few extra layers since the command is expected to run in the image as a non-root user (/etc/passwd, ca-certificates, and a home directory). For a non-running image, that could be a single layer. E.g.: # change image to your scratch-based source image=regclient/regctl store=/tmp sha=$(regctl image manifest $image --format '{{ (index .Layers 0).Digest}}') if [ ! -d "$store/$sha" ]; then mkdir -p "$store/$sha" regctl layer pull $image $sha | tar -xzvf - -C "$store/$sha" fi echo "result in $store/$sha"

How to lock a user using ansible?

Suggested Topics

Ansible - when statement task always return false value Continuous Integration and Delivery (CI, CD) • ansible • • zymir

Error 502 before execute Ansible playbook Continuous Integration and Delivery (CI, CD) • ansible deployment • • Cleofas

reboot server during Ansible tasks Continuous Integration and Delivery (CI, CD) • linux centos ansible • • Jolied

Cannot pull ansible docker image Continuous Integration and Delivery (CI, CD) • ansible • • esther

Replacement of line in file with ansible Software Programming • html linux ansible • • jeanid

Waiting for privilege escalation prompt Continuous Integration and Delivery (CI, CD) • windows ansible • • magpie

How many DB instances to use? When to switch to container services? Continuous Integration and Delivery (CI, CD) • docker azure databases infrastructure as code • • chanisef

The right way to Ansiblically deploy environments directly from Github: Continuous Integration and Delivery (CI, CD) • bash github curl ansible shell script • • Nykeriab

Running consul in the background using Chef Continuous Integration and Delivery (CI, CD) • bash process chef consul • • Bogopo

Execute multiple Ansible tasks with the same list of items Continuous Integration and Delivery (CI, CD) • ansible • • simrah

Use of plastics for certain hosts in Ansible Software Programming • python ansible • • Saumya

Value added to variable gauge Software Programming • ansible ansible playbook • • morde

How to skip rest of hosts when item found in host - Ansible Continuous Integration and Delivery (CI, CD) • ansible • • Nykeriab

How to define constants in Ansible? Continuous Integration and Delivery (CI, CD) • ansible • • kalyn

Using Docker images as vehicles for binary deployment artifacts Continuous Integration and Delivery (CI, CD) • docker continuous integration • • emran

Ansible - when statement task always return false value
Continuous Integration and Delivery (CI, CD) • ansible • • zymir

Error 502 before execute Ansible playbook
Continuous Integration and Delivery (CI, CD) • ansible deployment • • Cleofas

reboot server during Ansible tasks
Continuous Integration and Delivery (CI, CD) • linux centos ansible • • Jolied

Cannot pull ansible docker image
Continuous Integration and Delivery (CI, CD) • ansible • • esther

Replacement of line in file with ansible
Software Programming • html linux ansible • • jeanid

Waiting for privilege escalation prompt
Continuous Integration and Delivery (CI, CD) • windows ansible • • magpie

How many DB instances to use? When to switch to container services?
Continuous Integration and Delivery (CI, CD) • docker azure databases infrastructure as code • • chanisef

The right way to Ansiblically deploy environments directly from Github:
Continuous Integration and Delivery (CI, CD) • bash github curl ansible shell script • • Nykeriab

Running consul in the background using Chef
Continuous Integration and Delivery (CI, CD) • bash process chef consul • • Bogopo

Execute multiple Ansible tasks with the same list of items
Continuous Integration and Delivery (CI, CD) • ansible • • simrah

Use of plastics for certain hosts in Ansible
Software Programming • python ansible • • Saumya

Value added to variable gauge
Software Programming • ansible ansible playbook • • morde

How to skip rest of hosts when item found in host - Ansible
Continuous Integration and Delivery (CI, CD) • ansible • • Nykeriab

How to define constants in Ansible?
Continuous Integration and Delivery (CI, CD) • ansible • • kalyn

Using Docker images as vehicles for binary deployment artifacts
Continuous Integration and Delivery (CI, CD) • docker continuous integration • • emran