provisioners/ansible: add force_remote_user option
The benefits of the following "breaking change" are the following: - default behaviour naturally fits with most common usage (i.e. always connect with Vagrant SSH settings) - the autogenerated inventory is more consistent by providing both the SSH username and private key. - no longer needed to explain how to override Ansible `remote_user` parameters Important: With the `force_remote_user` option, people still can fall back to the former behavior (prior to Vagrant 1.8.0), which means that Vagrant integration capabilities are still quite open and flexible.
This commit is contained in:
parent
36d6c430d2
commit
dde94a3ce7
14
CHANGELOG.md
14
CHANGELOG.md
|
@ -9,8 +9,22 @@ FEATURES:
|
||||||
- **IPv6 Private Networks**: Private networking now supports IPv6. This
|
- **IPv6 Private Networks**: Private networking now supports IPv6. This
|
||||||
only works with VirtualBox and VMware at this point. [GH-6342]
|
only works with VirtualBox and VMware at this point. [GH-6342]
|
||||||
|
|
||||||
|
BREAKING CHANGES:
|
||||||
|
|
||||||
|
- the `ansible` provisioner now can override the effective ansible remote user
|
||||||
|
(i.e. `ansible_ssh_user` setting) to always correspond to the vagrant ssh
|
||||||
|
username. This change is enabled by default, but we expect this to affect
|
||||||
|
only a tiny number of people as it corresponds to the common usage.
|
||||||
|
If you however use different remote usernames in your Ansible plays, tasks,
|
||||||
|
or custom inventories, you can simply set the option `force_remote_user` to
|
||||||
|
false to make Vagrant behave the same as before.
|
||||||
|
|
||||||
|
|
||||||
IMPROVEMENTS:
|
IMPROVEMENTS:
|
||||||
|
|
||||||
|
- provisioners/ansible: add new `force_remote_user` option to control whether
|
||||||
|
`ansible_ssh_user` parameter should be applied or not [GH-6348]
|
||||||
|
|
||||||
BUG FIXES:
|
BUG FIXES:
|
||||||
|
|
||||||
- communicator/winrm: respect `boot_timeout` setting [GH-6229]
|
- communicator/winrm: respect `boot_timeout` setting [GH-6229]
|
||||||
|
|
|
@ -2,6 +2,7 @@ module VagrantPlugins
|
||||||
module Ansible
|
module Ansible
|
||||||
class Config < Vagrant.plugin("2", :config)
|
class Config < Vagrant.plugin("2", :config)
|
||||||
attr_accessor :playbook
|
attr_accessor :playbook
|
||||||
|
attr_accessor :force_remote_user
|
||||||
attr_accessor :extra_vars
|
attr_accessor :extra_vars
|
||||||
attr_accessor :inventory_path
|
attr_accessor :inventory_path
|
||||||
attr_accessor :ask_sudo_pass
|
attr_accessor :ask_sudo_pass
|
||||||
|
@ -24,6 +25,7 @@ module VagrantPlugins
|
||||||
|
|
||||||
def initialize
|
def initialize
|
||||||
@playbook = UNSET_VALUE
|
@playbook = UNSET_VALUE
|
||||||
|
@force_remote_user = UNSET_VALUE
|
||||||
@extra_vars = UNSET_VALUE
|
@extra_vars = UNSET_VALUE
|
||||||
@inventory_path = UNSET_VALUE
|
@inventory_path = UNSET_VALUE
|
||||||
@ask_sudo_pass = UNSET_VALUE
|
@ask_sudo_pass = UNSET_VALUE
|
||||||
|
@ -44,6 +46,7 @@ module VagrantPlugins
|
||||||
|
|
||||||
def finalize!
|
def finalize!
|
||||||
@playbook = nil if @playbook == UNSET_VALUE
|
@playbook = nil if @playbook == UNSET_VALUE
|
||||||
|
@force_remote_user = true if @force_remote_user != false
|
||||||
@extra_vars = nil if @extra_vars == UNSET_VALUE
|
@extra_vars = nil if @extra_vars == UNSET_VALUE
|
||||||
@inventory_path = nil if @inventory_path == UNSET_VALUE
|
@inventory_path = nil if @inventory_path == UNSET_VALUE
|
||||||
@ask_sudo_pass = false unless @ask_sudo_pass == true
|
@ask_sudo_pass = false unless @ask_sudo_pass == true
|
||||||
|
@ -56,7 +59,7 @@ module VagrantPlugins
|
||||||
@tags = nil if @tags == UNSET_VALUE
|
@tags = nil if @tags == UNSET_VALUE
|
||||||
@skip_tags = nil if @skip_tags == UNSET_VALUE
|
@skip_tags = nil if @skip_tags == UNSET_VALUE
|
||||||
@start_at_task = nil if @start_at_task == UNSET_VALUE
|
@start_at_task = nil if @start_at_task == UNSET_VALUE
|
||||||
@groups = {} if @groups == UNSET_VALUE
|
@groups = {} if @groups == UNSET_VALUE
|
||||||
@host_key_checking = false unless @host_key_checking == true
|
@host_key_checking = false unless @host_key_checking == true
|
||||||
@raw_arguments = nil if @raw_arguments == UNSET_VALUE
|
@raw_arguments = nil if @raw_arguments == UNSET_VALUE
|
||||||
@raw_ssh_args = nil if @raw_ssh_args == UNSET_VALUE
|
@raw_ssh_args = nil if @raw_ssh_args == UNSET_VALUE
|
||||||
|
|
|
@ -20,13 +20,10 @@ module VagrantPlugins
|
||||||
# Ansible provisioner options
|
# Ansible provisioner options
|
||||||
#
|
#
|
||||||
|
|
||||||
# By default, connect with Vagrant SSH username
|
|
||||||
options = %W[--user=#{@ssh_info[:username]}]
|
|
||||||
|
|
||||||
# Connect with native OpenSSH client
|
# Connect with native OpenSSH client
|
||||||
# Other modes (e.g. paramiko) are not officially supported,
|
# Other modes (e.g. paramiko) are not officially supported,
|
||||||
# but can be enabled via raw_arguments option.
|
# but can be enabled via raw_arguments option.
|
||||||
options << "--connection=ssh"
|
options = %W[--connection=ssh]
|
||||||
|
|
||||||
# Increase the SSH connection timeout, as the Ansible default value (10 seconds)
|
# Increase the SSH connection timeout, as the Ansible default value (10 seconds)
|
||||||
# is a bit demanding for some overloaded developer boxes. This is particularly
|
# is a bit demanding for some overloaded developer boxes. This is particularly
|
||||||
|
@ -34,6 +31,16 @@ module VagrantPlugins
|
||||||
# is not controlled during vagrant boot process.
|
# is not controlled during vagrant boot process.
|
||||||
options << "--timeout=30"
|
options << "--timeout=30"
|
||||||
|
|
||||||
|
if !config.force_remote_user
|
||||||
|
# Pass the vagrant ssh username as Ansible default remote user, because
|
||||||
|
# the ansible_ssh_user parameter won't be added to the auto-generated inventory.
|
||||||
|
options << "--user=#{@ssh_info[:username]}"
|
||||||
|
elsif config.inventory_path
|
||||||
|
# Using an extra variable is the only way to ensure that the Ansible remote user
|
||||||
|
# is overridden (as the ansible inventory is not under vagrant control)
|
||||||
|
options << "--extra-vars=ansible_ssh_user='#{@ssh_info[:username]}'"
|
||||||
|
end
|
||||||
|
|
||||||
# By default we limit by the current machine, but
|
# By default we limit by the current machine, but
|
||||||
# this can be overridden by the `limit` option.
|
# this can be overridden by the `limit` option.
|
||||||
if config.limit
|
if config.limit
|
||||||
|
@ -127,7 +134,11 @@ module VagrantPlugins
|
||||||
m = @machine.env.machine(*am)
|
m = @machine.env.machine(*am)
|
||||||
m_ssh_info = m.ssh_info
|
m_ssh_info = m.ssh_info
|
||||||
if !m_ssh_info.nil?
|
if !m_ssh_info.nil?
|
||||||
inventory += "#{m.name} ansible_ssh_host=#{m_ssh_info[:host]} ansible_ssh_port=#{m_ssh_info[:port]} ansible_ssh_private_key_file='#{m_ssh_info[:private_key_path][0]}'\n"
|
forced_ssh_user = ""
|
||||||
|
if config.force_remote_user
|
||||||
|
forced_ssh_user = "ansible_ssh_user='#{m_ssh_info[:username]}' "
|
||||||
|
end
|
||||||
|
inventory += "#{m.name} ansible_ssh_host=#{m_ssh_info[:host]} ansible_ssh_port=#{m_ssh_info[:port]} #{forced_ssh_user}ansible_ssh_private_key_file='#{m_ssh_info[:private_key_path][0]}'\n"
|
||||||
inventory_machines[m.name] = m
|
inventory_machines[m.name] = m
|
||||||
else
|
else
|
||||||
@logger.error("Auto-generated inventory: Impossible to get SSH information for machine '#{m.name} (#{m.provider_name})'. This machine should be recreated.")
|
@logger.error("Auto-generated inventory: Impossible to get SSH information for machine '#{m.name} (#{m.provider_name})'. This machine should be recreated.")
|
||||||
|
|
|
@ -18,6 +18,7 @@ describe VagrantPlugins::Ansible::Config do
|
||||||
supported_options = %w( ask_sudo_pass
|
supported_options = %w( ask_sudo_pass
|
||||||
ask_vault_pass
|
ask_vault_pass
|
||||||
extra_vars
|
extra_vars
|
||||||
|
force_remote_user
|
||||||
groups
|
groups
|
||||||
host_key_checking
|
host_key_checking
|
||||||
inventory_path
|
inventory_path
|
||||||
|
@ -41,6 +42,7 @@ describe VagrantPlugins::Ansible::Config do
|
||||||
|
|
||||||
expect(subject.playbook).to be_nil
|
expect(subject.playbook).to be_nil
|
||||||
expect(subject.extra_vars).to be_nil
|
expect(subject.extra_vars).to be_nil
|
||||||
|
expect(subject.force_remote_user).to be_true
|
||||||
expect(subject.ask_sudo_pass).to be_false
|
expect(subject.ask_sudo_pass).to be_false
|
||||||
expect(subject.ask_vault_pass).to be_false
|
expect(subject.ask_vault_pass).to be_false
|
||||||
expect(subject.vault_password_file).to be_nil
|
expect(subject.vault_password_file).to be_nil
|
||||||
|
@ -57,6 +59,9 @@ describe VagrantPlugins::Ansible::Config do
|
||||||
expect(subject.raw_ssh_args).to be_nil
|
expect(subject.raw_ssh_args).to be_nil
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe "force_remote_user option" do
|
||||||
|
it_behaves_like "any VagrantConfigProvisioner strict boolean attribute", :force_remote_user, true
|
||||||
|
end
|
||||||
describe "host_key_checking option" do
|
describe "host_key_checking option" do
|
||||||
it_behaves_like "any VagrantConfigProvisioner strict boolean attribute", :host_key_checking, false
|
it_behaves_like "any VagrantConfigProvisioner strict boolean attribute", :host_key_checking, false
|
||||||
end
|
end
|
||||||
|
|
|
@ -67,15 +67,17 @@ VF
|
||||||
#
|
#
|
||||||
|
|
||||||
def self.it_should_set_arguments_and_environment_variables(
|
def self.it_should_set_arguments_and_environment_variables(
|
||||||
expected_args_count = 6, expected_vars_count = 4, expected_host_key_checking = false, expected_transport_mode = "ssh")
|
expected_args_count = 5,
|
||||||
|
expected_vars_count = 4,
|
||||||
|
expected_host_key_checking = false,
|
||||||
|
expected_transport_mode = "ssh")
|
||||||
|
|
||||||
it "sets implicit arguments in a specific order" do
|
it "sets implicit arguments in a specific order" do
|
||||||
expect(Vagrant::Util::Subprocess).to receive(:execute).with { |*args|
|
expect(Vagrant::Util::Subprocess).to receive(:execute).with { |*args|
|
||||||
|
|
||||||
expect(args[0]).to eq("ansible-playbook")
|
expect(args[0]).to eq("ansible-playbook")
|
||||||
expect(args[1]).to eq("--user=#{machine.ssh_info[:username]}")
|
expect(args[1]).to eq("--connection=ssh")
|
||||||
expect(args[2]).to eq("--connection=ssh")
|
expect(args[2]).to eq("--timeout=30")
|
||||||
expect(args[3]).to eq("--timeout=30")
|
|
||||||
|
|
||||||
inventory_count = args.count { |x| x =~ /^--inventory-file=.+$/ }
|
inventory_count = args.count { |x| x =~ /^--inventory-file=.+$/ }
|
||||||
expect(inventory_count).to be > 0
|
expect(inventory_count).to be > 0
|
||||||
|
@ -162,13 +164,17 @@ VF
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.it_should_create_and_use_generated_inventory
|
def self.it_should_create_and_use_generated_inventory(with_ssh_user = true)
|
||||||
it "generates an inventory with all active machines" do
|
it "generates an inventory with all active machines" do
|
||||||
expect(Vagrant::Util::Subprocess).to receive(:execute).with { |*args|
|
expect(Vagrant::Util::Subprocess).to receive(:execute).with { |*args|
|
||||||
expect(config.inventory_path).to be_nil
|
expect(config.inventory_path).to be_nil
|
||||||
expect(File.exists?(generated_inventory_file)).to be_true
|
expect(File.exists?(generated_inventory_file)).to be_true
|
||||||
inventory_content = File.read(generated_inventory_file)
|
inventory_content = File.read(generated_inventory_file)
|
||||||
expect(inventory_content).to include("#{machine.name} ansible_ssh_host=#{machine.ssh_info[:host]} ansible_ssh_port=#{machine.ssh_info[:port]} ansible_ssh_private_key_file='#{machine.ssh_info[:private_key_path][0]}'\n")
|
if with_ssh_user
|
||||||
|
expect(inventory_content).to include("#{machine.name} ansible_ssh_host=#{machine.ssh_info[:host]} ansible_ssh_port=#{machine.ssh_info[:port]} ansible_ssh_user='#{machine.ssh_info[:username]}' ansible_ssh_private_key_file='#{machine.ssh_info[:private_key_path][0]}'\n")
|
||||||
|
else
|
||||||
|
expect(inventory_content).to include("#{machine.name} ansible_ssh_host=#{machine.ssh_info[:host]} ansible_ssh_port=#{machine.ssh_info[:port]} ansible_ssh_private_key_file='#{machine.ssh_info[:private_key_path][0]}'\n")
|
||||||
|
end
|
||||||
expect(inventory_content).to include("# MISSING: '#{iso_env.machine_names[1]}' machine was probably removed without using Vagrant. This machine should be recreated.\n")
|
expect(inventory_content).to include("# MISSING: '#{iso_env.machine_names[1]}' machine was probably removed without using Vagrant. This machine should be recreated.\n")
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
@ -276,7 +282,7 @@ VF
|
||||||
config.host_key_checking = true
|
config.host_key_checking = true
|
||||||
end
|
end
|
||||||
|
|
||||||
it_should_set_arguments_and_environment_variables 6, 4, true
|
it_should_set_arguments_and_environment_variables 5, 4, true
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "with boolean (flag) options disabled" do
|
describe "with boolean (flag) options disabled" do
|
||||||
|
@ -288,7 +294,7 @@ VF
|
||||||
config.sudo_user = 'root'
|
config.sudo_user = 'root'
|
||||||
end
|
end
|
||||||
|
|
||||||
it_should_set_arguments_and_environment_variables 7
|
it_should_set_arguments_and_environment_variables 6
|
||||||
it_should_set_optional_arguments({ "sudo_user" => "--sudo-user=root" })
|
it_should_set_optional_arguments({ "sudo_user" => "--sudo-user=root" })
|
||||||
|
|
||||||
it "it does not set boolean flag when corresponding option is set to false" do
|
it "it does not set boolean flag when corresponding option is set to false" do
|
||||||
|
@ -303,6 +309,7 @@ VF
|
||||||
describe "with raw_arguments option" do
|
describe "with raw_arguments option" do
|
||||||
before do
|
before do
|
||||||
config.sudo = false
|
config.sudo = false
|
||||||
|
config.force_remote_user = false
|
||||||
config.skip_tags = %w(foo bar)
|
config.skip_tags = %w(foo bar)
|
||||||
config.limit = "all"
|
config.limit = "all"
|
||||||
config.raw_arguments = ["--connection=paramiko",
|
config.raw_arguments = ["--connection=paramiko",
|
||||||
|
@ -352,12 +359,29 @@ VF
|
||||||
it_should_set_arguments_and_environment_variables
|
it_should_set_arguments_and_environment_variables
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context "with force_remote_user option disabled" do
|
||||||
|
before do
|
||||||
|
config.force_remote_user = false
|
||||||
|
end
|
||||||
|
|
||||||
|
it_should_create_and_use_generated_inventory false # i.e. without setting ansible_ssh_user in inventory
|
||||||
|
|
||||||
|
it_should_set_arguments_and_environment_variables 6
|
||||||
|
|
||||||
|
it "uses a --user argument to set a default remote user" do
|
||||||
|
expect(Vagrant::Util::Subprocess).to receive(:execute).with { |*args|
|
||||||
|
expect(args).not_to include("--extra-vars=ansible_ssh_user='#{machine.ssh_info[:username]}'")
|
||||||
|
expect(args).to include("--user=#{machine.ssh_info[:username]}")
|
||||||
|
}
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
describe "with inventory_path option" do
|
describe "with inventory_path option" do
|
||||||
before do
|
before do
|
||||||
config.inventory_path = existing_file
|
config.inventory_path = existing_file
|
||||||
end
|
end
|
||||||
|
|
||||||
it_should_set_arguments_and_environment_variables
|
it_should_set_arguments_and_environment_variables 6
|
||||||
|
|
||||||
it "does not generate the inventory and uses given inventory path instead" do
|
it "does not generate the inventory and uses given inventory path instead" do
|
||||||
expect(Vagrant::Util::Subprocess).to receive(:execute).with { |*args|
|
expect(Vagrant::Util::Subprocess).to receive(:execute).with { |*args|
|
||||||
|
@ -366,6 +390,26 @@ VF
|
||||||
expect(File.exists?(generated_inventory_file)).to be_false
|
expect(File.exists?(generated_inventory_file)).to be_false
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "uses an --extra-vars argument to force ansible_ssh_user parameter" do
|
||||||
|
expect(Vagrant::Util::Subprocess).to receive(:execute).with { |*args|
|
||||||
|
expect(args).not_to include("--user=#{machine.ssh_info[:username]}")
|
||||||
|
expect(args).to include("--extra-vars=ansible_ssh_user='#{machine.ssh_info[:username]}'")
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
describe "with force_remote_user option disabled" do
|
||||||
|
before do
|
||||||
|
config.force_remote_user = false
|
||||||
|
end
|
||||||
|
|
||||||
|
it "uses a --user argument to set a default remote user" do
|
||||||
|
expect(Vagrant::Util::Subprocess).to receive(:execute).with { |*args|
|
||||||
|
expect(args).not_to include("--extra-vars=ansible_ssh_user='#{machine.ssh_info[:username]}'")
|
||||||
|
expect(args).to include("--user=#{machine.ssh_info[:username]}")
|
||||||
|
}
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "with ask_vault_pass option" do
|
describe "with ask_vault_pass option" do
|
||||||
|
@ -373,7 +417,7 @@ VF
|
||||||
config.ask_vault_pass = true
|
config.ask_vault_pass = true
|
||||||
end
|
end
|
||||||
|
|
||||||
it_should_set_arguments_and_environment_variables 7
|
it_should_set_arguments_and_environment_variables 6
|
||||||
|
|
||||||
it "should ask the vault password" do
|
it "should ask the vault password" do
|
||||||
expect(Vagrant::Util::Subprocess).to receive(:execute).with { |*args|
|
expect(Vagrant::Util::Subprocess).to receive(:execute).with { |*args|
|
||||||
|
@ -387,7 +431,7 @@ VF
|
||||||
config.vault_password_file = existing_file
|
config.vault_password_file = existing_file
|
||||||
end
|
end
|
||||||
|
|
||||||
it_should_set_arguments_and_environment_variables 7
|
it_should_set_arguments_and_environment_variables 6
|
||||||
|
|
||||||
it "uses the given vault password file" do
|
it "uses the given vault password file" do
|
||||||
expect(Vagrant::Util::Subprocess).to receive(:execute).with { |*args|
|
expect(Vagrant::Util::Subprocess).to receive(:execute).with { |*args|
|
||||||
|
@ -401,7 +445,7 @@ VF
|
||||||
config.raw_ssh_args = ['-o ControlMaster=no', '-o ForwardAgent=no']
|
config.raw_ssh_args = ['-o ControlMaster=no', '-o ForwardAgent=no']
|
||||||
end
|
end
|
||||||
|
|
||||||
it_should_set_arguments_and_environment_variables 6, 4
|
it_should_set_arguments_and_environment_variables
|
||||||
it_should_explicitly_enable_ansible_ssh_control_persist_defaults
|
it_should_explicitly_enable_ansible_ssh_control_persist_defaults
|
||||||
|
|
||||||
it "passes custom SSH options via ANSIBLE_SSH_ARGS with the highest priority" do
|
it "passes custom SSH options via ANSIBLE_SSH_ARGS with the highest priority" do
|
||||||
|
@ -435,7 +479,7 @@ VF
|
||||||
ssh_info[:private_key_path] = ['/path/to/my/key', '/an/other/identity', '/yet/an/other/key']
|
ssh_info[:private_key_path] = ['/path/to/my/key', '/an/other/identity', '/yet/an/other/key']
|
||||||
end
|
end
|
||||||
|
|
||||||
it_should_set_arguments_and_environment_variables 6, 4
|
it_should_set_arguments_and_environment_variables
|
||||||
it_should_explicitly_enable_ansible_ssh_control_persist_defaults
|
it_should_explicitly_enable_ansible_ssh_control_persist_defaults
|
||||||
|
|
||||||
it "passes additional Identity Files via ANSIBLE_SSH_ARGS" do
|
it "passes additional Identity Files via ANSIBLE_SSH_ARGS" do
|
||||||
|
@ -452,7 +496,7 @@ VF
|
||||||
ssh_info[:forward_agent] = true
|
ssh_info[:forward_agent] = true
|
||||||
end
|
end
|
||||||
|
|
||||||
it_should_set_arguments_and_environment_variables 6, 4
|
it_should_set_arguments_and_environment_variables
|
||||||
it_should_explicitly_enable_ansible_ssh_control_persist_defaults
|
it_should_explicitly_enable_ansible_ssh_control_persist_defaults
|
||||||
|
|
||||||
it "enables SSH-Forwarding via ANSIBLE_SSH_ARGS" do
|
it "enables SSH-Forwarding via ANSIBLE_SSH_ARGS" do
|
||||||
|
@ -468,12 +512,12 @@ VF
|
||||||
config.verbose = 'v'
|
config.verbose = 'v'
|
||||||
end
|
end
|
||||||
|
|
||||||
it_should_set_arguments_and_environment_variables 7
|
it_should_set_arguments_and_environment_variables 6
|
||||||
it_should_set_optional_arguments({ "verbose" => "-v" })
|
it_should_set_optional_arguments({ "verbose" => "-v" })
|
||||||
|
|
||||||
it "shows the ansible-playbook command" do
|
it "shows the ansible-playbook command" do
|
||||||
expect(machine.env.ui).to receive(:detail).with { |full_command|
|
expect(machine.env.ui).to receive(:detail).with { |full_command|
|
||||||
expect(full_command).to eq("PYTHONUNBUFFERED=1 ANSIBLE_HOST_KEY_CHECKING=false ANSIBLE_FORCE_COLOR=true ANSIBLE_SSH_ARGS='-o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -o ControlMaster=auto -o ControlPersist=60s' ansible-playbook --user=testuser --connection=ssh --timeout=30 --limit='machine1' --inventory-file=#{generated_inventory_dir} -v playbook.yml")
|
expect(full_command).to eq("PYTHONUNBUFFERED=1 ANSIBLE_HOST_KEY_CHECKING=false ANSIBLE_FORCE_COLOR=true ANSIBLE_SSH_ARGS='-o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -o ControlMaster=auto -o ControlPersist=60s' ansible-playbook --connection=ssh --timeout=30 --limit='machine1' --inventory-file=#{generated_inventory_dir} -v playbook.yml")
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -520,7 +564,7 @@ VF
|
||||||
config.raw_ssh_args = ['-o ControlMaster=no']
|
config.raw_ssh_args = ['-o ControlMaster=no']
|
||||||
end
|
end
|
||||||
|
|
||||||
it_should_set_arguments_and_environment_variables 21, 4, true
|
it_should_set_arguments_and_environment_variables 20, 4, true
|
||||||
it_should_explicitly_enable_ansible_ssh_control_persist_defaults
|
it_should_explicitly_enable_ansible_ssh_control_persist_defaults
|
||||||
it_should_set_optional_arguments({ "extra_vars" => "--extra-vars=@#{File.expand_path(__FILE__)}",
|
it_should_set_optional_arguments({ "extra_vars" => "--extra-vars=@#{File.expand_path(__FILE__)}",
|
||||||
"sudo" => "--sudo",
|
"sudo" => "--sudo",
|
||||||
|
@ -547,7 +591,7 @@ VF
|
||||||
|
|
||||||
it "shows the ansible-playbook command, with additional quotes when required" do
|
it "shows the ansible-playbook command, with additional quotes when required" do
|
||||||
expect(machine.env.ui).to receive(:detail).with { |full_command|
|
expect(machine.env.ui).to receive(:detail).with { |full_command|
|
||||||
expect(full_command).to eq("PYTHONUNBUFFERED=1 ANSIBLE_HOST_KEY_CHECKING=true ANSIBLE_FORCE_COLOR=true ANSIBLE_SSH_ARGS='-o IdentitiesOnly=yes -o IdentityFile=/my/key1 -o IdentityFile=/my/key2 -o ForwardAgent=yes -o ControlMaster=no -o ControlMaster=auto -o ControlPersist=60s' ansible-playbook --user=testuser --connection=ssh --timeout=30 --limit='machine*:&vagrant:!that_one' --inventory-file=#{generated_inventory_dir} --extra-vars=@#{File.expand_path(__FILE__)} --sudo --sudo-user=deployer -vvv --ask-sudo-pass --ask-vault-pass --vault-password-file=#{File.expand_path(__FILE__)} --tags=db,www --skip-tags=foo,bar --start-at-task='an awesome task' --why-not --su-user=foot --ask-su-pass --limit='all' --private-key=./myself.key playbook.yml")
|
expect(full_command).to eq("PYTHONUNBUFFERED=1 ANSIBLE_HOST_KEY_CHECKING=true ANSIBLE_FORCE_COLOR=true ANSIBLE_SSH_ARGS='-o IdentitiesOnly=yes -o IdentityFile=/my/key1 -o IdentityFile=/my/key2 -o ForwardAgent=yes -o ControlMaster=no -o ControlMaster=auto -o ControlPersist=60s' ansible-playbook --connection=ssh --timeout=30 --limit='machine*:&vagrant:!that_one' --inventory-file=#{generated_inventory_dir} --extra-vars=@#{File.expand_path(__FILE__)} --sudo --sudo-user=deployer -vvv --ask-sudo-pass --ask-vault-pass --vault-password-file=#{File.expand_path(__FILE__)} --tags=db,www --skip-tags=foo,bar --start-at-task='an awesome task' --why-not --su-user=foot --ask-su-pass --limit='all' --private-key=./myself.key playbook.yml")
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -61,8 +61,8 @@ Vagrant would generate an inventory file that might look like:
|
||||||
```
|
```
|
||||||
# Generated by Vagrant
|
# Generated by Vagrant
|
||||||
|
|
||||||
machine1 ansible_ssh_host=127.0.0.1 ansible_ssh_port=2200 ansible_ssh_private_key_file=/home/.../.vagrant/machines/machine1/virtualbox/private_key
|
machine1 ansible_ssh_host=127.0.0.1 ansible_ssh_port=2200 ansible_ssh_user='vagrant' ansible_ssh_private_key_file='/home/.../'.vagrant/machines/machine1/virtualbox/private_key
|
||||||
machine2 ansible_ssh_host=127.0.0.1 ansible_ssh_port=2201 ansible_ssh_private_key_file=/home/.../.vagrant/machines/machine2/virtualbox/private_key
|
machine2 ansible_ssh_host=127.0.0.1 ansible_ssh_port=2201 ansible_ssh_user='vagrant' ansible_ssh_private_key_file='/home/.../'.vagrant/machines/machine2/virtualbox/private_key
|
||||||
|
|
||||||
[group1]
|
[group1]
|
||||||
machine1
|
machine1
|
||||||
|
@ -80,6 +80,7 @@ group2
|
||||||
* The generation of group variables blocks (e.g. `[group1:vars]`) are intentionally not supported, as it is [not recommended to store group variables in the main inventory file](http://docs.ansible.com/intro_inventory.html#splitting-out-host-and-group-specific-data). A good practice is to store these group (or host) variables in `YAML` files stored in `group_vars/` or `host_vars/` directories in the playbook (or inventory) directory.
|
* The generation of group variables blocks (e.g. `[group1:vars]`) are intentionally not supported, as it is [not recommended to store group variables in the main inventory file](http://docs.ansible.com/intro_inventory.html#splitting-out-host-and-group-specific-data). A good practice is to store these group (or host) variables in `YAML` files stored in `group_vars/` or `host_vars/` directories in the playbook (or inventory) directory.
|
||||||
* Unmanaged machines and undefined groups are not added to the inventory, to avoid useless Ansible errors (e.g. *unreachable host* or *undefined child group*)
|
* Unmanaged machines and undefined groups are not added to the inventory, to avoid useless Ansible errors (e.g. *unreachable host* or *undefined child group*)
|
||||||
* Prior to Vagrant 1.7.3, the `ansible_ssh_private_key_file` variable was not set in generated inventory, but passed as command line argument to `ansible-playbook` command.
|
* Prior to Vagrant 1.7.3, the `ansible_ssh_private_key_file` variable was not set in generated inventory, but passed as command line argument to `ansible-playbook` command.
|
||||||
|
* Prior to Vagrant 1.8.0, the `ansible_ssh_user` variable was not set in generated inventory, but passed as command line argument to `ansible-playbook` command. See also the `force_remote_user` option to enable the former behavior.
|
||||||
|
|
||||||
For example, `machine3`, `group3` and `group1:vars` in the example below would not be added to the generated inventory file:
|
For example, `machine3`, `group3` and `group1:vars` in the example below would not be added to the generated inventory file:
|
||||||
|
|
||||||
|
@ -220,6 +221,7 @@ by the sudo command.
|
||||||
* `ansible.raw_arguments` can be set to an array of strings corresponding to a list of `ansible-playbook` arguments (e.g. `['--check', '-M /my/modules']`). It is an *unsafe wildcard* that can be used to apply Ansible options that are not (yet) supported by this Vagrant provisioner. As of Vagrant 1.7, `raw_arguments` has the highest priority and its values can potentially override or break other Vagrant settings.
|
* `ansible.raw_arguments` can be set to an array of strings corresponding to a list of `ansible-playbook` arguments (e.g. `['--check', '-M /my/modules']`). It is an *unsafe wildcard* that can be used to apply Ansible options that are not (yet) supported by this Vagrant provisioner. As of Vagrant 1.7, `raw_arguments` has the highest priority and its values can potentially override or break other Vagrant settings.
|
||||||
* `ansible.raw_ssh_args` can be set to an array of strings corresponding to a list of OpenSSH client parameters (e.g. `['-o ControlMaster=no']`). It is an *unsafe wildcard* that can be used to pass additional SSH settings to Ansible via `ANSIBLE_SSH_ARGS` environment variable.
|
* `ansible.raw_ssh_args` can be set to an array of strings corresponding to a list of OpenSSH client parameters (e.g. `['-o ControlMaster=no']`). It is an *unsafe wildcard* that can be used to pass additional SSH settings to Ansible via `ANSIBLE_SSH_ARGS` environment variable.
|
||||||
* `ansible.host_key_checking` can be set to `true` which will enable host key checking. As of Vagrant 1.5, the default value is `false` and as of Vagrant 1.7 the user known host file (e.g. `~/.ssh/known_hosts`) is no longer read nor modified. In other words: by default, the Ansible provisioner behaves the same as Vagrant native commands (e.g `vagrant ssh`).
|
* `ansible.host_key_checking` can be set to `true` which will enable host key checking. As of Vagrant 1.5, the default value is `false` and as of Vagrant 1.7 the user known host file (e.g. `~/.ssh/known_hosts`) is no longer read nor modified. In other words: by default, the Ansible provisioner behaves the same as Vagrant native commands (e.g `vagrant ssh`).
|
||||||
|
* `ansible.force_remote_user` can be set to `false` which will enable the `remote_user` parameters of your Ansible plays or tasks. Otherwise, Vagrant will set the `ansible_ssh_user` setting in the generated inventory, or as an extra variable when a static inventory is used. In this case, all the Ansible `remote_user` parameters will be overridden by the value of `config.ssh.username` of the [Vagrant SSH Settings](/v2/vagrantfile/ssh_settings.html).
|
||||||
|
|
||||||
## Tips and Tricks
|
## Tips and Tricks
|
||||||
|
|
||||||
|
@ -273,31 +275,6 @@ As `ansible-playbook` command looks for local `ansible.cfg` configuration file i
|
||||||
|
|
||||||
Note that it is also possible to reference an Ansible configuration file via `ANSIBLE_CONFIG` environment variable, if you want to be flexible about the location of this file.
|
Note that it is also possible to reference an Ansible configuration file via `ANSIBLE_CONFIG` environment variable, if you want to be flexible about the location of this file.
|
||||||
|
|
||||||
### Why does the Ansible provisioner connect as the wrong user?
|
|
||||||
|
|
||||||
It is good to know that the following Ansible settings always override the `config.ssh.username` option defined in [Vagrant SSH Settings](/v2/vagrantfile/ssh_settings.html):
|
|
||||||
|
|
||||||
* `ansible_ssh_user` variable
|
|
||||||
* `remote_user` (or `user`) play attribute
|
|
||||||
* `remote_user` task attribute
|
|
||||||
|
|
||||||
Be aware that copying snippets from the Ansible documentation might lead to this problem, as `root` is used as the remote user in many [examples](http://docs.ansible.com/playbooks_intro.html#hosts-and-users).
|
|
||||||
|
|
||||||
Example of an SSH error (with `vvv` log level), where an undefined remote user `xyz` has replaced `vagrant`:
|
|
||||||
|
|
||||||
```
|
|
||||||
TASK: [my_role | do something] *****************
|
|
||||||
<127.0.0.1> ESTABLISH CONNECTION FOR USER: xyz
|
|
||||||
<127.0.0.1> EXEC ['ssh', '-tt', '-vvv', '-o', 'ControlMaster=auto',...
|
|
||||||
fatal: [ansible-devbox] => SSH encountered an unknown error. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue.
|
|
||||||
```
|
|
||||||
|
|
||||||
In a situation like the above, to override the `remote_user` specified in a play you can use the following line in your Vagrantfile `vm.provision` block:
|
|
||||||
|
|
||||||
```
|
|
||||||
ansible.extra_vars = { ansible_ssh_user: 'vagrant' }
|
|
||||||
```
|
|
||||||
|
|
||||||
### Force Paramiko Connection Mode
|
### Force Paramiko Connection Mode
|
||||||
|
|
||||||
The Ansible provisioner is implemented with native OpenSSH support in mind, and there is no official support for [paramiko](https://github.com/paramiko/paramiko/) (A native Python SSHv2 protocol library).
|
The Ansible provisioner is implemented with native OpenSSH support in mind, and there is no official support for [paramiko](https://github.com/paramiko/paramiko/) (A native Python SSHv2 protocol library).
|
||||||
|
|
Loading…
Reference in New Issue