search

garutilorenzo / ansible-role-linux-gluster

Ansible role used to install and configure gluster, NFS ganesha and pacemaker for HA
GNU General Public License v3.0
1 stars 0 forks source link

Could replace the need to supply hacluster password #1

Open 0lzi opened 8 months ago

0lzi commented 8 months ago

I created a role similar and used the below to then not require passing the hacluster password as a var.


- name: Create random password
  ansible.builtin.set_fact:
    ha_userpass: "{{ lookup('ansible.builtin.password', '/dev/null', seed=ansible_date_time.time) }}"

- name: Change hacluster user password
  ansible.builtin.user:
    name: hacluster
    update_password: always
    password: "{{ ha_userpass | password_hash('sha512') }}"
garutilorenzo commented 7 months ago

Hello @0lzi thanks for sharing 😀 I will make some tests but I think this will create a different password each time Anisble is run and with this approach the role is not idempotent. And also this will creaate a different passowrd on all the hosts (I need to check the dock if this is allowed)

0lzi commented 7 months ago

Yes, I spotted that when I was running it myself, I did tweak it slightly over the weekend, to below; 

- name: Create random password
  ansible.builtin.set_fact:
    ha_userpass: "{{ lookup('ansible.builtin.password', '/dev/null', seed=ansible_date_time.time) }}"
  delegate_to: localhost
  run_once: true

- name: Change hacluster user password
  ansible.builtin.user:
    name: hacluster
    update_password: always
    password: "{{ ha_userpass | password_hash('sha512') }}"

This will generate a password and then use that across all hosts, and it if you are using the update_password; always it will always change it with a newly generated password each run, which does takeaway the idempotent element with my task.