- Building Ansible inventories
- Connection methods and details
- Edit on GitHub
'; */ // Create a banner if we're not on the official docs site if (location.host == "docs.testing.ansible.com") { document.write('
' + '
This is the testing site for Ansible Documentation. Unless you are reviewing pre-production changes, please visit the official documentation website.
' + '
'); } // Create a banner current_url_path = window.location.pathname; var important = false; var msg = '
'; if (startsWith(current_url_path, "/ansible-core/")) { msg += 'You are reading documentation for Ansible Core, which contains no plugins except for those in ansible.builtin. For documentation of the Ansible package, go to the latest documentation.'; } else if (startsWithOneOf(current_url_path, ["/ansible/latest/", "/ansible/9/"])) { /* temp extra banner to advertise something */ banner += extra_banner; msg += 'This is the latest (stable) Ansible community documentation. For Red Hat Ansible Automation Platform subscriptions, see Life Cycle for version details.'; } else if (startsWith(current_url_path, "/ansible/2.9/")) { msg += 'You are reading the latest Red Hat released version of the Ansible documentation. Community users can use this version, or select latest from the version selector to the left for the most recent community version.'; } else if (startsWith(current_url_path, "/ansible/devel/")) { /* temp extra banner to advertise something */ banner += extra_banner; msg += 'You are reading the devel version of the Ansible documentation - this version is not guaranteed stable. Use the version selection to the left if you want the latest (stable) released version.'; } else { msg += 'You are reading an older version of the Ansible documentation. Use the version selection to the left if you want the latest (stable) released version.'; /* temp extra banner to advertise something - this is for testing*/ banner += extra_banner; } msg += '
'; banner += '
'; banner += important ? '
' : ''; banner += msg; banner += important ? '
' : ''; banner += '
'; document.write(banner);
This section shows you how to expand and refine the connection methods Ansible uses for your inventory.
ControlPersist and paramiko
By default, Ansible uses native OpenSSH, because it supports ControlPersist (a performance feature), Kerberos, and options in ~/.ssh/config such as Jump Host setup. If your control machine uses an older version of OpenSSH that does not support ControlPersist, Ansible will fall back to a Python implementation of OpenSSH called ‘paramiko’.
Setting a remote user
By default, Ansible connects to all remote devices with the username you are using on the control node. If that username does not exist on a remote device, you can set a different username for the connection. If you just need to do some tasks as a different user, look at Understanding privilege escalation: become. You can set the connection user in a playbook:
---- name: update webservers hosts: webservers remote_user: admin tasks: - name: thing to do first in this playbook . . .
as a host variable in inventory:
other1.example.com ansible_connection=ssh ansible_user=myuserother2.example.com ansible_connection=ssh ansible_user=myotheruser
or as a group variable in inventory:
cloud: hosts: cloud1: my_backup.cloud.com cloud2: my_backup2.cloud.com vars: ansible_user: admin
See also
- ssh_connection
Details on the
remote_userkeyword andansible_uservariable.See AlsoAnsible for the Windows admin- Controlling how Ansible behaves: precedence rules
Details on Ansible precedence rules.
Setting up SSH keys
By default, Ansible assumes you are using SSH keys to connect to remote machines. SSH keys are encouraged, but you can use password authentication if needed with the --ask-pass option. If you need to provide a password for privilege escalation (sudo, pbrun, and so on), use --ask-become-pass.
Note
Ansible does not expose a channel to allow communication between the user and the ssh process to accept a password manually to decrypt an ssh key when using the ssh connection plugin (which is the default). The use of ssh-agent is highly recommended.
To set up SSH agent to avoid retyping passwords, you can do:
$ ssh-agent bash$ ssh-add ~/.ssh/id_rsa
Depending on your setup, you may wish to use Ansible’s --private-key command line option to specify a pem file instead. You can also add the private key file:
$ ssh-agent bash$ ssh-add ~/.ssh/keypair.pem
Another way to add private key files without using ssh-agent is using ansible_ssh_private_key_file in an inventory file as explained here: How to build your inventory.
Running against localhost
You can run commands against the control node by using “localhost” or “127.0.0.1” for the server name:
$ ansible localhost -m ping -e 'ansible_python_interpreter="/usr/bin/env python"'
You can specify localhost explicitly by adding this to your inventory file:
localhost ansible_connection=local ansible_python_interpreter="/usr/bin/env python"
Managing host key checking
Ansible enables host key checking by default. Checking host keys guards against server spoofing and man-in-the-middle attacks, but it does require some maintenance.
If a host is reinstalled and has a different key in ‘known_hosts’, this will result in an error message until corrected. If a new host is not in ‘known_hosts’ your control node may prompt for confirmation of the key, which results in an interactive experience if using Ansible, from say, cron. You might not want this.
If you understand the implications and wish to disable this behavior, you can do so by editing /etc/ansible/ansible.cfg or ~/.ansible.cfg:
[defaults]host_key_checking = False
Alternatively, this can be set by the ANSIBLE_HOST_KEY_CHECKING environment variable:
$ export ANSIBLE_HOST_KEY_CHECKING=False
Also note that host key checking in paramiko mode is reasonably slow, therefore switching to ‘ssh’ is also recommended when using this feature.
Other connection methods
Ansible can use a variety of connection methods beyond SSH. You can select any connection plugin, including managing things locally and managing chroot, lxc, and jail containers.A mode called ‘ansible-pull’ can also invert the system and have systems ‘phone home’ with scheduled git checkouts to pull configuration directives from a central repository.
