Hi,
New to ansible and this project so forgive me if this seems like a dumb questions. I’m one of those guys that like to know how things work but I’m getting stuck figuring out how the users role creates users. Specifically this part
- name: Check whether Ansible can connect as admin_user
local_action: command ansible {{ inventory_hostname }} -m ping -u {{ admin_user }} {{ cli_options | default('') }}
From what i can tell cli_options is a function and it’s then filtered through “default(’’)” which I’m guessing just filters the output of cli_option to a string.
My question is where does this cli_options come from and what does it do exactly?
Some context
The SSH user that will succeed for Ansible depends on the context, e.g.:
The remote-user
role uses an updated version of the task you posted above to test whether root
can connect, making all subsequent connections as the admin_user
if root
fails. This avoids requiring of Trellis users very much manual management of SSH user names.
Although the remote-user
role described above does not create any users, the users
role creates the following users on the remote, if they don’t already exist:
admin_user
to run the server.yml
playbook if root
cannot connect. This user has full privileges on the server.
web_user
to run the deploy.yml
playbook. This user has privileges limited to managing website files, not the whole server.
The SSH keys docs provide a little more perspective on users.
Breaking down this task
The task you posted above is not a simple place to start understanding Ansible:
local_action
indicates that the command should be run on the local machine instead of the remote server
command
indicates that the following will be the command to execute
ansible
begins an ad hoc command
inventory_hostname
is an Ansible built-in variable indicating which remote should be accessed in the ad hoc command
-m ping
indicates the Ansible ping module should be used to test the connection
- [
-u {{ admin_user }}
] indicates to attempt the connection as the Trellis-defined variable admin_user
. “But wait, you said the task tries to connect as root
!” Well, it does now. The version you posted is out-of-date.
cli_options
is a variable defined by Trellis behind the scenes. See explanation below.
| default('')
sets the default value of an empty string ''
if the cli_options
variable is undefined, because without defaults set, Ansible playbooks fail when encountering undefined variables.
The task is complex because it has the unusual local_action
thing. It is also unusual to use an ad hoc command. It also includes three different variable types: user-defined (common), magic or built-in (less common), and a Trellis var defined in an Ansible plugin (uncommon).
The cli_options variable
So finally, what is that cli_options
variable?
If you run ansible-playbook -h
you’ll see the many possible cli options that could affect the SSH connection. For example, suppose someone specified --private-key
. The ping
test in the task above would only be successful if also specifying this --private-key
. So, cli_options
is defined as the various cli options the user may have specified that could affect the SSH connection.
Note: the ancestor of cli_options
was cli_options_ping
, created in roots/trellis#578.
It’s cruel for me to save this gem for the end: I don’t think you’d ever need to think about or use the cli_options
variable.
2 Likes