Containerized Ansible CLI.
Contains additional tools/packages (s. Dockerfile).
Place the docker-compose.yml into your Ansible project and run
$ docker-compose run ansible
While using SSH key authentication method to access remote resources, ensure that the encrypted private
key is located at the .ssh/id_rsa path within the user directory.
- Linux/macOS:
$HOME/.ssh/id_rsa - Windows:
$USERPROFILE/.ssh/id_rsa
After starting the Ansible container the key passphrase will be prompted.
$ docker-compose run ansible
Starting SSH Agent.
Enter passphrase for /root/.ssh/id_rsa:
Ansible Vault allows to keep sensitive data like passwords or keys encrypted. It supports encryption of whole files as well as single variables.
To clearly separate and restrict access to different inventories/environments multiple Ansible Vault passwords are indispensable.
When operating Ansible playbooks frequently, typing the Vault password on every execution can be cumbersome, especially with multiple environments in place.
While offering a possibility to reference password files, Ansible Vault does not provide a convenient feature to create or manage those, apart from the fact that an official integration into a password manager like Gnome-Keyring doesn't exist.
To overcome the limitations of the status quo a convenient method to manage multiple Ansible Vault password files is provided.
Initially an encrypted password file for every inventory/environment must be created using a personal master and environment
related Ansible Vault password. This is a one time operation per inventory/environment. Add .vault-password to the
gitignore patterns to prevent accidental check-ins.
$ cd inventories/prod
$ ansible-encrypt-vault-password
Enter the master password for .vault-password files:
Enter the vault password for prod inventory:
Created /ansible/inventories/prod/.vault-password.
As a result master password encrypted inventories/prod/.vault-password file that contains the environment Ansible Vault
password is created.
The encrypted password files are loaded when a new container is started.
$ docker-compose run ansible
...
Decrypting Ansible Vault passwords.
Enter decryption password for .vault-password files:
Decrypting /ansible/inventories/prod/.vault-password.
Alternatively encrypted password files may be reloaded within existing container.
$ cd /ansible
$ ansible-vault-init
Decrypting Ansible Vault passwords.
Enter decryption password for .vault-password files:
Decrypting /ansible/inventories/prod/.vault-password.
Secret values are encrypted per inventory (e.g. inventory prod, secret value foo).
$ ansible-vault encrypt_string --encrypt-vault-id 'prod' 'foo'
!vault |
$ANSIBLE_VAULT;1.2;AES256;production-de
33636332626264316661363731393861333764313361326262313664336435366666306664636434
3339643439333138303035373866363265326132653363380a303937343963303530666337396561
31626334633162323731323539393330366633386338393439613332373362383137383930616362
3066383536323139610a616434643664613435356365356330636435633666353864626439626335
6664
Bigger Ansible projects frequently utilize Ansible Galaxy Roles that can be installed using a requirements.yml file.
Roles installation can be triggered from the container.
$ cd /ansible
ansible-galaxy-init
Skipping Ansible Galaxy roles installation. No "/ansible/roles/requirements.yml" file present.
It's a tiny wrapper for ansible-galaxy install -r /ansible/roles/requirements.yml that ensures that the requirements.yml
is placed into the right location expected by Ansible Tower.
You can run the locally build image with:
docker-compose run ansible
To rebuild the image run:
docker-compose build
See the LICENSE.md file for details