Hi,
New to ansible and this project so forgive me if this seems like a dumb questions. I’m one of those guys that like to know how things work but I’m getting stuck figuring out how the users role creates users. Specifically this part
- name: Check whether Ansible can connect as admin_user
local_action: command ansible {{ inventory_hostname }} -m ping -u {{ admin_user }} {{ cli_options | default('') }}
From what i can tell cli_options is a function and it’s then filtered through “default(’’)” which I’m guessing just filters the output of cli_option to a string.
My question is where does this cli_options come from and what does it do exactly?
Some context
The SSH user that will succeed for Ansible depends on the context, e.g.:
The remote-user role uses an updated version of the task you posted above to test whether root can connect, making all subsequent connections as the admin_user if root fails. This avoids requiring of Trellis users very much manual management of SSH user names.
Although the remote-user role described above does not create any users, the users role creates the following users on the remote, if they don’t already exist:
admin_user to run the server.yml playbook if root cannot connect. This user has full privileges on the server.web_user to run the deploy.yml playbook. This user has privileges limited to managing website files, not the whole server.
The SSH keys docs provide a little more perspective on users.
Breaking down this task
The task you posted above is not a simple place to start understanding Ansible:
local_action indicates that the command should be run on the local machine instead of the remote servercommand indicates that the following will be the command to executeansible begins an ad hoc commandinventory_hostname is an Ansible built-in variable indicating which remote should be accessed in the ad hoc command-m ping indicates the Ansible ping module should be used to test the connection- [
-u {{ admin_user }}] indicates to attempt the connection as the Trellis-defined variable admin_user. “But wait, you said the task tries to connect as root!” Well, it does now. The version you posted is out-of-date.
cli_options is a variable defined by Trellis behind the scenes. See explanation below. | default('') sets the default value of an empty string '' if the cli_options variable is undefined, because without defaults set, Ansible playbooks fail when encountering undefined variables.
The task is complex because it has the unusual local_action thing. It is also unusual to use an ad hoc command. It also includes three different variable types: user-defined (common), magic or built-in (less common), and a Trellis var defined in an Ansible plugin (uncommon).
The cli_options variable
So finally, what is that cli_options variable?
If you run ansible-playbook -h you’ll see the many possible cli options that could affect the SSH connection. For example, suppose someone specified --private-key. The ping test in the task above would only be successful if also specifying this --private-key. So, cli_options is defined as the various cli options the user may have specified that could affect the SSH connection.
Note: the ancestor of cli_options was cli_options_ping, created in roots/trellis#578.
It’s cruel for me to save this gem for the end: I don’t think you’d ever need to think about or use the cli_options variable. 
2 Likes