Blog

03/06/2019

How to set and use sudo password for Ansible Vault



How can I set a sudo password for Ansible from the Linux or Unix cli? How can I store sudo password in a vault file and use it securely without exposing my details?

You can create encrypted passwords with Ansible playbooks and use it. You need to pass --extra-vars variable to ansible-playbook. Let us see two different methods to deal with sudo password.

kbd { display: inline-block; margin: 0 .1em; padding: .1em .6em; font-family: Arial,”Helvetica Neue”,Helvetica,sans-serif; font-size: 11px; line-height: 1.4; color: #242729; text-shadow: 0 1px 0 #FFF; background-color: #e1e3e5; border: 1px solid #adb3b9; border-radius: 3px; box-shadow: 0 1px 0 rgba(12,13,14,0.2), 0 0 0 2px #FFF inset; white-space: nowrap;}

How to specify sudo password for Ansible at the cli (method # 1)

The syntax is:
ansible-playbook -i inventory my.yml
--extra-vars 'ansible_become_pass=YOUR-PASSWORD-HERE'

From the security perspective typing password at the CLI argument is not a good idea. Hence, you can force ansible-playbook to ask for the password:
ansible-playbook --ask-sudo-pass -i inventory my.yml
The sudo --ask-sudo-pass has been deprecated in favor of the “become” command line arguments, so run:
ansible-playbook --ask-become-pass -i inventory my.yml

A note about specifying ssh username and password at the CLI

The syntax is:
ansible-playbook -i inventory my.yml
--extra-vars 'ansible_ssh_pass=YOUR-SSH-PASSWORD-HERE'
--extra-vars='ansible_ssh_user=YOUR-SSH-USERNAME-HERE'

OR
ansible-playbook -i inventory my.yml -u YOUR-SSH-USERNAME-HERE
--extra-vars 'ansible_ssh_pass=YOUR-SSH-PASSWORD-HERE'

Here is my sample inventory file:

[cluster:vars]
k_ver="linux-image-4.13.0-26-generic"
ansible_user=vivek  # ssh login user
ansible_become=yes  # use sudo 
ansible_become_method=sudo 
 
[cluster]
www1
www2
www3
db1
db2
cache1
cache2

[cluster:vars] k_ver="linux-image-4.13.0-26-generic" ansible_user=vivek # ssh login user ansible_become=yes # use sudo ansible_become_method=sudo [cluster] www1 www2 www3 db1 db2 cache1 cache2

Here is my my.yml file:

---
- hosts: cluster
  tasks:
          - name: Updating host using apt
            apt:
                    update_cache: yes
                    upgrade: dist
          - name: Update kernel to spefic version
            apt:
                    name: "{{ k_ver }}"
                    state: latest
          - name: Clean unwanted olderstuff
            apt:
                    autoremove: yes
                    purge: yes

— – hosts: cluster tasks: – name: Updating host using apt apt: update_cache: yes upgrade: dist – name: Update kernel to spefic version apt: name: "{{ k_ver }}" state: latest – name: Clean unwanted olderstuff apt: autoremove: yes purge: yes

I ran command as follows:
ansible-playbook --ask-become-pass -i inventory my.yml

How to store and use sudo passwed in a vault (method # 2)

First update your inventory file as follows:

[cluster:vars]
k_ver="linux-image-4.13.0-26-generic"
ansible_user=vivek  # ssh login user
ansible_become=yes  # use sudo 
ansible_become_method=sudo 
ansible_become_pass='{{ my_cluser_sudo_pass }}'
 
[cluster]
www1
www2
www3
db1
db2
cache1
cache2

[cluster:vars] k_ver="linux-image-4.13.0-26-generic" ansible_user=vivek # ssh login user ansible_become=yes # use sudo ansible_become_method=sudo ansible_become_pass='{{ my_cluser_sudo_pass }}’ [cluster] www1 www2 www3 db1 db2 cache1 cache2

Next create a new encrypted data file named password.yml, run the following command:
$ ansible-vault create passwd.yml
Set the password for vault. After providing a password, the tool will start whatever editor you have defined with $EDITOR. Append the following
my_cluser_sudo_pass: your_sudo_password_for_remote_serversSave and close the file in vi/vim. Finally run playbook as follows:
$ ansible-playbook -i inventory --ask-vault-pass --extra-vars '@passwd.yml' my.yml

How to edit my encrypted file again

ansible-vault edit passwd.yml

How to change password for my encrypted file

ansible-vault rekey passwd.yml

Disable sudo login without password on all remote servers

README: How to create a new sudo user on Ubuntu Linux server

Login to your remote box:
ssh vivek@server1.sxi.io
sudo -i

Make sure vivek user is part of sudo/wheel group that allowed to sudo using id command:
id vivek
Edit sudo config file using the visudo command:
sudo visudo
Make sure following line deleted or commented out:
vivek ALL=(ALL) NOPASSWD:ALL
Save and close the file.

Summary

In short use following options for the ansible-playbook command with vault or without vault file:

  • -i inventory : Set path to your inventory file.
  • --ask-vault-pass : Ask for vault password
  • --extra-vars '@passwd.yml' – Set extra variable. In this case set path to vault file named passwd.yml.
  • --ask-become-pass : Ask for sudo password

See also

(adsbygoogle = window.adsbygoogle || []).push({});

Posted by: SXI ADMIN

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

14/08/2019

How to KVM, QEMU start or stop virtual machine from command line (CLI)

KVM or Kernel Based Virtual Machine is a popular virtualization technology. It allows you to run virtual guest machines over a host machine. To start...
14/08/2019

How to Docker backup Saving and restoring your volumes

Running a Docker volume backup First, we spin up a temporary container, and we mount the backup folder and the target Docker volume to this container....
12/08/2019

How to Start and Enable Firewalld on CentOS 7

In this article, we discuss how to start and enable firewalld. It is highly recommended that you have a firewall protecting your server.Pre-Flight CheckThese...