5

So here is what I want to do I want to run a playbook like this

ansible-playbook playbookX.yml --ask-vault-pass [host or hostgroup]

The playbook should run a local (on the ansible server) python script with parameters

python scriptname.py Parameter1 Parameter2

Parameter1: a secret that should be encrypted and not visible i.e. with ps -aufx and I should get the password from a vault-file. Maybe I should decrypt it in the python script?

Parameter2: The hostname specified in host or hostgroup (Note: The script should be run for every host when the playbook is run with a hostgroup)

Another note: The python script should best be executed in a virtual_env while the environment should have urllib3 installed.

How could I accomplish that?

Improve this question

2 Answers 2

Reset to default
3

You can verify urllib3 is present in the venv with the pip module: http://docs.ansible.com/ansible/latest/pip_module.html

I think you need to pass the host/hostgroup as a var on command line to the playbook:

ansible-playbook playbookX.yml -e "myhosts=[host or hostgroup]" --ask-vault-pass

I suggest use no_log on the task to hide the parameters in the output. I guess it will still show in with ps though.

---
- name: Run on remote host
  hosts: "{{ myhosts }}"

  tasks:
    - <my other tasks on remote host>
    - name: run python script locally
      local_action: command python scriptname.py "{{ my_ecrypted_password }}" "{{ myhosts }}"
      no_log: True

You could create a template scriptname.py.j2, add "{{ my_encrypted_password }}" where needed, then create your tmp scriptname.py, execute and remove the tmp file. That was it won't show with ps but it will be in the tmp .py file.

Last suggestions would be to just put it in the .py scipt and encrypt it with ansible-vault.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

If I take your last suggestion and put it in the py-script then encrypt it with ansible vault. How would I call it in a playbook?
Starting to play with this, I realized it is it not such a good idea. Another way would be to put your script in a role, the password in the role vars and encrypt it. Check this out: https://gist.github.com/tristanfisher/e5a306144a637dc739e7
In the end I solved this using just ansible modules, an inline-vault and no external python-script. But thanks for your help. I have to definitly learn about roles.
I am glad you did, can you post your solution in more detail?
0

Creating a virtual environment :

  • virtualenv env_name
  • source dir/bin/activate

I'm assuming you want to do something like this:

python some_script.py param1 param2

To pass and fetch parameters to a Python Script you need to use sys.

import sys
param1 = sys.argv[1]
param2 = sys.argv[2]

Use getpass() in python to accept passwords in the command line.

Improve this answer

1 Comment

Sorry, but I know how to create a virtualenv for python. The question was how to do it in combination with ansible as a playbook which your answer completely omits. Thus -1

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.