I need to add new users to multiple Ubuntu servers. Unfortunately, the password and username are not consistent. Every machine has its own username and the password cannot be the same. For example, host-1 will have a user account host-1_username with password host-1_password and host-2 will have a user account host-2_username with password host-2_password, and so on.
I would like to do that by Ansible. I have a list.yaml file:
---
list:
- hostname: host-1
username: host-1_username
password: host-1_password
- hostname: host-2
username: host-2_username
password: host-2_password
- hostname: host-3
username: host-3_username
password: host-3_password
Here is my Ansible playbook:
- name: Crate new user
vars_files:
- list.yml
hosts: "{{ item.hostname }}"
remote_user: root
become: true
tasks:
- name: Create new user
ansible.builtin.user:
name: "{{ item.username }}"
groups: sudo
password: "{{ item.password | password_hash('sha512') }}"
shell: /bin/bash
- name: Modify sshd_config
ansible.builtin.lineinfile:
dest: /etc/ssh/sshd_config
line: 'AllowUsers {{ item.username }}'
loop: "{{ list }}"
But looks like Ansible cannot invoke the variable to add into hosts column:
ERROR! couldn't resolve module/action 'hosts'. This often indicates a misspelling, missing collection, or incorrect module path.
I am very new to Ansible, any help is appreciated!
Given the data
shell> cat list.yml
users_list:
- hostname: host-1
username: host-1_username
password: host-1_password
- hostname: host-2
username: host-2_username
password: host-2_password
- hostname: host-3
username: host-3_username
password: host-3_password
Create an inventory file, e.g.
shell> cat hosts
host-1
host-2
host-3
Convert the data to dictionaries, e.g.
- hosts: all
gather_facts: false
vars_files:
- list.yml
tasks:
- set_fact:
users_dict: "{{ users_list|items2dict(key_name='hostname', value_name='username') }}"
psswd_dict: "{{ users_list|items2dict(key_name='hostname', value_name='password') }}"
run_once: true
gives
users_dict:
host-1: host-1_username
host-2: host-2_username
host-3: host-3_username
and
psswd_dict:
host-1: host-1_password
host-2: host-2_password
host-3: host-3_password
Use the dictionaries to select the hosts' specific users and passwords, e.g.
- debug:
msg: "Create user: {{ users_dict[inventory_hostname] }}
password: {{ psswd_dict[inventory_hostname] }}"
gives
TASK [debug] ***************************************************************
ok: [host-1] =>
msg: 'Create user: host-1_username password: host-1_password'
ok: [host-2] =>
msg: 'Create user: host-2_username password: host-2_password'
ok: [host-3] =>
msg: 'Create user: host-3_username password: host-3_password'
You can omit the inventory file and create a playbook completely driven by the data. Create dynamic group my_group in the first play and use it in the second one. The playbook below gives the same results
- name: Create dynamic group of the hosts from users_list
hosts: localhost
gather_facts: false
vars_files:
- list.yml
tasks:
- add_host:
name: "{{ item.hostname }}"
groups: my_group
loop: "{{ users_list }}"
- name: Create users
hosts: my_group
gather_facts: false
vars_files:
- list.yml
tasks:
- set_fact:
users_dict: "{{ users_list|items2dict(key_name='hostname', value_name='username') }}"
psswd_dict: "{{ users_list|items2dict(key_name='hostname', value_name='password') }}"
run_once: true
- debug:
var: users_dict
run_once: true
- debug:
var: psswd_dict
run_once: true
- debug:
msg: "Create user: {{ users_dict[inventory_hostname] }}
password: {{ psswd_dict[inventory_hostname] }}"
Related
I want to improve my ansible role because i have a lot of users to roll out.
For each user that is created there will be also multiple folders
created and this is very time consuming.
This is my users.yml file where i put every single user in (>1000)
ftp_users:
testuser1:
public_key: "public key"
password: "sha string"
home: /home/testuser1
customer_type: linux
testuser2:
public_key: "public key"
password: "sha string"
home: /home/testuser2
customer_type: windows
For this 2 users i want to create two folders "in" and "out".
Therefore i've created two tasks where i iterating over the dictionary:
- name: Create required out-folder for jailed users.
become: true
ansible.builtin.file:
owner: "{{ item.key }}"
group: ftpusers
mode: 0770
path: "/home/{{ item.value.customer_type }}/{{ item.key }}/out"
state: directory
loop: "{{ ftp_users | dict2items }}"
when: "'state' not in item.value or item.value.state == 'present'"
- name: Create required in-folder for jailed users.
become: true
ansible.builtin.file:
owner: "{{ item.key }}"
group: ftpusers
mode: 0770
path: "/home/{{ item.value.customer_type }}/{{ item.key }}/in"
state: directory
loop: "{{ ftp_users | dict2items }}"
when: "'state' not in item.value or item.value.state == 'present'"
This is very stupid because it takes a lot of time when 1000 users are rolled out.
I want to make one tasks to simultaniously create the "in" and "out" folder for every user, that i dont have to iterate two times over the whole dictionary.
What would be better nested_loops or the product filter?
Can someone show me an example?
Unfortunately block doesnt accept loop, so you could use include_tasks:
- name: "tips4"
hosts: localhost
gather_facts: false
vars:
ftp_users:
testuser1:
public_key: "public key"
password: "sha string"
home: /home/testuser1
customer_type: linux
testuser2:
public_key: "public key"
password: "sha string"
home: /home/testuser2
customer_type: windows
tasks:
- name: Create required out-folder for jailed users
include_tasks: create_folders.yml
loop: "{{ ftp_users | dict2items }}"
when: "'state' not in item.value or item.value.state == 'present'"
Create another file create_folders.yml in same folder than your playbook
# create_folders.yml
---
- name: Create required out-folder for jailed users
debug:
msg: "owner: {{ item.key }}, path: /home/{{ item.value.customer_type }}/{{ item.key }}/out"
- name: Create required in-folder for jailed users
debug:
msg: "owner: {{ item.key }}, path: /home/{{ item.value.customer_type }}/{{ item.key }}/in"
result:
TASK [Create required out-folder for jailed users]
ok: [localhost] => {
"msg": "owner: testuser1, path: /home/linux/testuser1/out"
}
TASK [Create required in-folder for jailed users]
ok: [localhost] => {
"msg": "owner: testuser1, path: /home/linux/testuser1/in"
}
TASK [Create required out-folder for jailed users]
ok: [localhost] => {
"msg": "owner: testuser2, path: /home/windows/testuser2/out"
}
TASK [Create required in-folder for jailed users]
ok: [localhost] => {
"msg": "owner: testuser2, path: /home/windows/testuser2/in"
}
with this playbook, in and out folder are created in same loop, so you just iterate one time...
I've got an ansible playbook with the following vars structure:
TESTS:
- name: test1
hosts: ['host_one', 'host_two', 'host_three']
services: ['service1, 'service2, 'service3']
- name: test2
hosts: ['host_four', 'host_five', 'host_six']
services: ['service4, 'service5, 'service6']
This is the kind of task I want to do, but of course with_subelements only allows one subkey. I've been trying to use with_nested but struggling quite a lot.
- name: check services on each host
systemd:
name: "{{item.1}}"
state: started
delegate_to: "{{item.2}}"
with_subelements:
- "{{TESTS}}"
- services
- hosts
I want each service to be checked on each of the corresponding hosts.
eg.
test1:
service1 on host_one,host_two,host_three
service2 on host_one,host_two,host_three
service3 on host_one,host_two,host_three
test2:
service4 on host_four,host_five,host_six
service5 on host_four,host_five,host_six
service6 on host_four,host_five,host_six
when to tranform data is complex i prefer to use a custom plugin:
create a file my_filter.py in the folder filter_plugins (same level than your playbook) and give customfilter as name:
my_filter.py:
#!/usr/bin/python
class FilterModule(object):
def filters(self):
return {
'customfilter': self.customfilter
}
def customfilter(self, obj):
result = []
for rec in obj:
for ser in rec["services"]:
for host in rec["hosts"]:
result.append({ "name":rec["name"], "service":ser, "host":host })
#print(result)
return result
playbook to use the custom filter:
- name: "make this working"
hosts: localhost
vars:
TESTS:
- name: test1
hosts: ['host_one', 'host_two', 'host_three']
services: ['service1', 'service2', 'service3']
- name: test2
hosts: ['host_four', 'host_five', 'host_six']
services: ['service4', 'service5', 'service6']
tasks:
- name: Debug
debug:
msg: "{{ item }}"
loop: "{{ TESTS | customfilter }}"
for your playbook:
- name: check services on each host: {{ item.name }}
systemd:
name: "{{item.service}}"
state: started
delegate_to: "{{item.host}}"
loop: "{{ TESTS | customfilter }}"
I'm going to grant privileges on two MySQL databases to user from to different IP's using Ansible. What I've got now:
Vars:
#users
root_user: 'root'
root_password: 'root'
prosody_user: 'prosody'
prosody_password: 'prosody'
#databases
oauth_db: "oauth"
#hosts
prosody_hosts: ['10.0.1.4', '10.0.1.5']
Task:
- name: add or update mysql user prosody
mysql_user:
name: "{{ prosody_user }}"
host: "{{ item.host }}"
password: "{{ prosody_password }}"
login_user: "{{ root_user }}"
login_password: "{{ root_password }}"
check_implicit_admin: yes
append_privs: yes
priv: "{{ item.database }}.*:ALL,GRANT"
with_items:
- { host: "{{ prosody_hosts[0] }}", database: "{{ oauth_db }}" }
- { host: "{{ prosody_hosts[1] }}", database: "{{ oauth_db }}" }
- { host: "{{ prosody_hosts[0] }}", database: "{{ prosody_db }}" }
- { host: "{{ prosody_hosts[1] }}", database: "{{ prosody_db }}" }
Direct calling of array elements doesn't look very nice. I just want loop through prosody_hosts array in with_item directive, сonsidering that database is not an array.
Goal is to to get something like this:
...
with_items
- { host: "{{ prosody_hosts }}", database: "{{ oauth_db }}" }
- { host: "{{ prosody_hosts }}", database: "{{ prosody_db }}" }
Thanks in advance!
What you need is nested loops.
See this Ansible documentation.
Basically you'd end up with something similar like this. Put your databases in a list called 'databases' like you did with hosts. This will execute the task for every host and every database.
I haven't tested this but it should get pretty close.
- name: add or update mysql user prosody
mysql_user:
name: "{{ prosody_user }}"
host: "{{ item[0] }}"
password: "{{ prosody_password }}"
login_user: "{{ root_user }}"
login_password: "{{ root_password }}"
check_implicit_admin: yes
append_privs: yes
priv: "{{ item[1] }}.*:ALL,GRANT"
with_nested:
- "{{ prosody_hosts }}"
- "{{ databases }}"
I have a variable structured like this. I have successfully used this with with_dict with a single key in the accessible_from
vars:
mysql_dbs:
db1:
user: db1_user
pass: "password"
accessible_from: localhost
db2:
user: db2_user
pass: "password2"
accessible_from: '%'
This is applied using the mysql_db ansible module, like this:
- name: Configure mysql users
mysql_user: name={{ item.value.user }} password={{ item.value.pass }} host={{ item.value.accessible_from | default('localhost')}} priv={{ item.key }}.*:ALL state=present
with_dict: "{{ mysql_dbs }}"
I would like accessible_from to have the ability to be a list. It doesn't matter if it has to be a list, but a single key/value pair is not enough :) So for example:
vars:
mysql_dbs:
db1:
user: db1_user
pass: "password"
accessible_from:
- server1
- server2
- localhost
db2:
user: db2_user
pass: "password"
accessible_from:
- '%'
So - the aim is to create all the DBs and users in one play. I've tried playing around with with_subelements, without success. Is it actually possible to do this? Or is it necessary to restructure the data, or rewrite the play? I'll do that if I have to, but I was wondering if there was another way round it.
First: You may refactor your mysql_dbs into list (because in with_subelements you can't refer items' keys), like:
mysql_dbs:
- name: db1
user: db1_user
pass: "password"
accessible_from:
- server1
- server2
- localhost
- name: db2
user: db2_user
pass: "password2"
accessible_from:
- '%'
And user with_subelements:
- mysql_user: name={{ item[0].user }} password={{ item[0].pass }} host={{ item[1] }} priv={{ item[0].name }}.*:ALL state=present
with_subelements:
- "{{ mysql_dbs }}"
- accessible_from
But this will fail if accessible_from is undefined for any db. You may use skip_missing, but this will skip entire db. So you can't omit accessible_from in this case.
Second: You may use helper set_fact to form a list with key and value, also defaulting accessible_from to localhost. This will work without refactoring your data:
- set_fact:
db_name: "{{ item.key }}"
db_params: "{{ dict(accessible_from=['localhost']) | combine(item.value) }}"
with_dict: "{{ mysql_dbs }}"
register: mysql_dbs_fact
loop_control:
label: "{{ item.key }}"
- debug:
msg: "mysql_user: name={{ item[0].db_params.user }} password={{ item[0].db_params.pass }} host={{ item[1] }} priv={{ item[0].db_name }}.*:ALL state=present"
with_subelements:
- "{{ mysql_dbs_fact.results | map(attribute='ansible_facts') | list }}"
- db_params.accessible_from
loop_control:
label: "{{ item[0].db_name }}->{{ item[1] }}"
Try this:
vars:
mysql_dbs:
db1:
user: db1_user
pass: "password"
accessible_from:
- acc_from: server1
- acc_from: server2
- acc_from: localhost
db2:
user: db2_user
pass: "password"
accessible_from:
- acc_from: '%'
tasks:
- name: Configure mysql users
debug: msg="{{ item.0.user }} password={{ item.0.pass }} host={{ item.1.acc_from }} priv={{ item.0 }}.*:ALL state=present"
with_subelements:
- "{{ mysql_dbs }}"
- accessible_from
I have a yaml for the creation of a user.
users:
username:
uid: 12345
gid: 6789
secggroups:
- group1
- group3
gecos: user_for_xyz
home: /home/username
I also have a file with just the usernames called users_list. The playbook to create users is as follows:
---
\- name: create users
user: name="{{ item }}" uid={{ users[item]['uid'] }} group={{ users[item][gid] }} comment="{{ users[item]['gecos'] }}" home={{ users[item]['home' }} expires=0
with_items:
\- users_list
How can I loop through the groups to be added to user?
Your playbook is on the right track.
Try this for the users variable:
users:
- username: someusername
uid: 12345
gid: 6789
groups:
- group1
- group3
gecos: "Some user"
home: /home/someusername
- username: someusername
... etc ...
And this for the user play
- name: User creation
user:
name:"{{item.username}}"
groups: "{{item.groups | join(',')}}"
comment: "{{item.name}}"
uid: "{{item.uid}}"
with_items: users
Note that I modified your syntax to not use inline YAML.
Also you may find this users role helpful.
You can solve this using subelements like this:
- name: User creation
user:
name:"{{item.0.username}}"
groups: "{{item.1 }}"
with_subelements:
- "{{ users }}"
- groups
here is a sample to debug, like a directory tree:
vars:
test:
- name: Testing subelements loop
dir: dir0
subdir:
- subdir0
- subdir1
- subdir2
tasks:
- name: Subelements loop sample
debug:
msg: "{{ item.0.dir }}/{{ item.1 }}"
with_subelements:
- "{{ test }}"
- subdir
you can find more here: http://docs.ansible.com/ansible/playbooks_loops.html#standard-loops