问题
I have a playbook that targets a particular host. But there are few tasks that I need to execute locally, so i am using "delegate_to" for those tasks. A few locally delegated tasks require sudo privileges, so I used "become: yes" and passed --ask-become-pass through command line and it worked fine. But now when I have created a job on ansible tower, how do I manage to provide become password for the user(i guess awx user) that is running the job???
回答1:
You'll want to set the special variable ansible_become_password
, described in https://docs.ansible.com/ansible/latest/user_guide/become.html#become-connection-variables.
Because you'll be storing the password as a variable for your playbook(s), you'll notice they recommend encrypting the password with Ansible Vault to avoid storing a clear-text password.
Assuming you're storing your code/playbooks in git, there are a few options to consider:
- Storing the Vault password in a file
- Updating
.gitignore
to ignore the Vault password file - Updating
ansible.cfg
to set the default Vault password file (example below)
[defaults]
vault_password_file = .vault_password
I lack experience with Ansible Tower, but have done similar with Rundeck successfully. Hope that helps!
回答2:
While creating credentials you have an option in TOwer to use sudo username.
- PRIVILEGE ESCALATION USERNAME --- Mention your username there
- PRIVILEGE ESCALATION PASSWORD --- You can mention your passwords here or select "Prompt on Launch", option to enter password will come when you run template.
Please check this screen shot
来源:https://stackoverflow.com/questions/60427192/how-to-specify-become-password-for-tasks-delegated-to-localhost