From 80c3d3332507fe620fcab99e65f2ffd81d48a69e Mon Sep 17 00:00:00 2001 From: Vinny Valdez Date: Tue, 29 Mar 2016 16:52:05 -0500 Subject: Add subscription-manager support for Hosted or Satellite --- roles/subscription-manager/README.md | 95 ++++++++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) create mode 100644 roles/subscription-manager/README.md (limited to 'roles/subscription-manager/README.md') diff --git a/roles/subscription-manager/README.md b/roles/subscription-manager/README.md new file mode 100644 index 000000000..b140ad09a --- /dev/null +++ b/roles/subscription-manager/README.md @@ -0,0 +1,95 @@ +# Red Hat Subscription Manager Ansible Role + +## Parameters + +This role depends on user specified variables. These can be set in the inventory file, group_vars or passed to the playbook from the CLI. The variables are: + +### rhsm_method + +Subscription Manager method to use for registration. Valid values are: + +* **satellite** - Use a Satellite server. Additional variables required include **rhsm_server**, **rhsm_org** and either (**rhsm_username** and **rhsm_password**) or **rhsm_activationkey** +* **hosted** - Use Red Hat's CDN. Additional variables required are **rhsm_server** (defaults to RHSM CDN) and **rhsm_username** and **rhsm_password** +* none/false/blank will disable any subscription manager activities (this is the default if no parameters are set) + +Default: none + +### rhsm_server + +Subscription Manager server hostname. If using a Satellite server set the FQDN here. If using RHSM Hosted this value is ignored. + +Default: none + +### rhsm_username + +Subscription Manager username. Required for RHSM Hosted. Can be optionally used for Satellite, but it may be better to use **rhsm_activationkey** for this. + +Default: none + +### rhsm_password + +Subscription Manager password. Required for RHSM Hosted. Can be optionally used for Satellite, but it may be better to use **rhsm_activationkey** for this. + +Default: none + +### rhsm_org + +Optional Satellite Subscription Manager Organization. Required for Satellite, ignored if using RHSM Hosted. + +Default: none + +### rhsm_activationkey + +Optional Satellite Subscription Manager Activation Key, use this instead of **rhsm_username** and **rhsm_password** if using Satellite to provide repositories and authentication in a key instead. + +Default: none + +### rhsm_pool + +Optional Subscription Manager pool, determine this by running **subscription-manager list --available** on a registered system. Valid for RHSM Hosted or Satellite. Specifying **rhsm_activationkey** will ignore this option. + +Default: none + +### rhsm_repos + +Optional Repositories to enable, this can also be specified in the **rhsm_activationkey**. Valid for RHSM Hosted or Satellite. Specifying **rhsm_activationkey** will ignore this option. + +NOTE: If specifying this value in an inventory file as opposed to group_vars, be sure to define it as a proper list as such: + +rhsm_repos='["rhel-7-server-rpms", "rhel-7-server-ose-3.1-rpms", "rhel-7-server-extras-rpms"]' + +Default: none + +## Pre-tasks + +A number of variable checks are performed before any tasks to ensure the proper parameters are set. To include these checks call the pre_task yaml before any roles: + +``` + pre_tasks: + - include: roles/subscription-manager/pre_tasks/pre_tasks.yml +``` + +## Tasks + +The bulk of the work is performed in the main.yml for this role. The pre-task play will set a variable which can be checked to contitionally include this role as such: + +``` + roles: + - { role: subscription-manager, when: not hostvars.localhost.rhsm_skip, tags: 'subscription-manager' } +``` + +## Running the Playbook + +To register to RHSM Hosted with username and password: + +``` +ansible-playbook -i inventory/ose-provision ose-provision.yml -e "rhsm_method='hosted' rhsm_username=vvaldez rhsm_password='hunter2' openstack_key_name='vvaldez'" +``` + +To register to a Satellite server with an activation key: + +``` +ansible-playbook -i inventory/ose-provision ose-provision.yml -e "rhsm_server='10.12.32.1' rhsm_org='cloud_practice' rhsm_activationkey='rhel-7-ose-3-1' openstack_key_name='vvaldez' rhsm_method='satellite'" +``` + +To ignore any Subscription Manager activities, simple do not set any parameters or explicitly set **rhsm_method** to false. -- cgit v1.2.3 From 177950b76a185c20317aa0e89d356cdf8b97c4c3 Mon Sep 17 00:00:00 2001 From: Vinny Valdez Date: Wed, 30 Mar 2016 15:46:31 -0500 Subject: Refactor role to dynamically determine rhsm_method * Removes rhsm_method * Renames rhsm_server to rhsm_satellite * Add additional pre_task checks (hosted + key) * Change conditionals from rhsm_method check to rhsm_satellite defined * Change repos disable/enable from key to if repos are defined * Update README and examples in inventory file --- roles/subscription-manager/README.md | 30 ++++++++++-------------------- 1 file changed, 10 insertions(+), 20 deletions(-) (limited to 'roles/subscription-manager/README.md') diff --git a/roles/subscription-manager/README.md b/roles/subscription-manager/README.md index b140ad09a..e604c7475 100644 --- a/roles/subscription-manager/README.md +++ b/roles/subscription-manager/README.md @@ -2,21 +2,11 @@ ## Parameters -This role depends on user specified variables. These can be set in the inventory file, group_vars or passed to the playbook from the CLI. The variables are: +This role depends on user specified variables. These can be set in the inventory file, group_vars or passed to the playbook from the CLI. No values are set by default which disables this role. The variables are: -### rhsm_method +### rhsm_satellite -Subscription Manager method to use for registration. Valid values are: - -* **satellite** - Use a Satellite server. Additional variables required include **rhsm_server**, **rhsm_org** and either (**rhsm_username** and **rhsm_password**) or **rhsm_activationkey** -* **hosted** - Use Red Hat's CDN. Additional variables required are **rhsm_server** (defaults to RHSM CDN) and **rhsm_username** and **rhsm_password** -* none/false/blank will disable any subscription manager activities (this is the default if no parameters are set) - -Default: none - -### rhsm_server - -Subscription Manager server hostname. If using a Satellite server set the FQDN here. If using RHSM Hosted this value is ignored. +Subscription Manager server hostname. If using a Satellite server set the FQDN here. If using RHSM Hosted this value must be left blank, none or false. Default: none @@ -34,13 +24,13 @@ Default: none ### rhsm_org -Optional Satellite Subscription Manager Organization. Required for Satellite, ignored if using RHSM Hosted. +Optional Subscription Manager Satellite Organization. Required for Satellite, ignored if using RHSM Hosted. Default: none ### rhsm_activationkey -Optional Satellite Subscription Manager Activation Key, use this instead of **rhsm_username** and **rhsm_password** if using Satellite to provide repositories and authentication in a key instead. +Optional Subscription Manager Satellite Activation Key, use this instead of **rhsm_username** and **rhsm_password** if using Satellite to provide repositories and authentication in a key instead. Default: none @@ -52,7 +42,7 @@ Default: none ### rhsm_repos -Optional Repositories to enable, this can also be specified in the **rhsm_activationkey**. Valid for RHSM Hosted or Satellite. Specifying **rhsm_activationkey** will ignore this option. +Optional list of repositories to enable. If left blank it is expected that the **rhsm_activationkey** will specify repos instead. If populated, a **subscription-manager repos --disable=\*** will be run and each of the specified repos explicitly enabled. Valid for RHSM Hosted or Satellite NOTE: If specifying this value in an inventory file as opposed to group_vars, be sure to define it as a proper list as such: @@ -75,7 +65,7 @@ The bulk of the work is performed in the main.yml for this role. The pre-task pl ``` roles: - - { role: subscription-manager, when: not hostvars.localhost.rhsm_skip, tags: 'subscription-manager' } + - { role: subscription-manager, when: hostvars.localhost.rhsm_register, tags: 'subscription-manager' } ``` ## Running the Playbook @@ -83,13 +73,13 @@ The bulk of the work is performed in the main.yml for this role. The pre-task pl To register to RHSM Hosted with username and password: ``` -ansible-playbook -i inventory/ose-provision ose-provision.yml -e "rhsm_method='hosted' rhsm_username=vvaldez rhsm_password='hunter2' openstack_key_name='vvaldez'" +ansible-playbook -i inventory/ose-provision ose-provision.yml -e "rhsm_username=vvaldez rhsm_password=hunter2" ``` To register to a Satellite server with an activation key: ``` -ansible-playbook -i inventory/ose-provision ose-provision.yml -e "rhsm_server='10.12.32.1' rhsm_org='cloud_practice' rhsm_activationkey='rhel-7-ose-3-1' openstack_key_name='vvaldez' rhsm_method='satellite'" +ansible-playbook -i inventory/ose-provision ose-provision.yml -e "rhsm_satellite=satellite.example.com rhsm_org=example_org rhsm_activationkey=rhel-7-ose-3-1" ``` -To ignore any Subscription Manager activities, simple do not set any parameters or explicitly set **rhsm_method** to false. +To ignore any Subscription Manager activities, simply do not set any parameters. -- cgit v1.2.3 From 96aaa6df25774e05cda3e4a6f73b030ae989100a Mon Sep 17 00:00:00 2001 From: Vinny Valdez Date: Tue, 5 Apr 2016 18:17:36 -0500 Subject: Refactor use of rhsm_password to prevent display to CLI --- roles/subscription-manager/README.md | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) (limited to 'roles/subscription-manager/README.md') diff --git a/roles/subscription-manager/README.md b/roles/subscription-manager/README.md index e604c7475..a5dd1ac44 100644 --- a/roles/subscription-manager/README.md +++ b/roles/subscription-manager/README.md @@ -18,7 +18,9 @@ Default: none ### rhsm_password -Subscription Manager password. Required for RHSM Hosted. Can be optionally used for Satellite, but it may be better to use **rhsm_activationkey** for this. +Subscription Manager password. Required for RHSM Hosted. Can be optionally used for Satellite, but it may be better to use **rhsm_activationkey** for this. + +NOTE: This variable is prompted for at the start of the playbook run. This is for security purposes so the password is not left in the command history. If specified on the command-line or set in a variable file it will be ignored and the value captured from the prompt will overwrite it instead. Default: none @@ -50,7 +52,25 @@ rhsm_repos='["rhel-7-server-rpms", "rhel-7-server-ose-3.1-rpms", "rhel-7-server- Default: none -## Pre-tasks +## Calling This Role +Calling this role requires adding a **vars_prompt**, **pre_tasks**, and **roles** section of a play + +### vars_prompt +Unfortunately **vars_prompt** can only be used at the play level before role tasks are executed, so this is the only place it can go. See http://stackoverflow.com/questions/25466675/ansible-to-conditionally-prompt-for-a-variable + +Add a prompt to capture **rhsm_password** + +``` +- hosts: localhost + vars_prompt: + # Unfortunately vars_prompt can only be used at the play level before role tasks, so this is the only place it can go. See http://stackoverflow.com/questions/25466675/ansible-to-conditionally-prompt-for-a-variable + - name: "rhsm_password" + prompt: "Subscription Manager password (enter blank if using rhsm_activationkey or to disable registration)" + confirm: yes + private: yes +``` + +### pre-tasks A number of variable checks are performed before any tasks to ensure the proper parameters are set. To include these checks call the pre_task yaml before any roles: @@ -59,7 +79,7 @@ A number of variable checks are performed before any tasks to ensure the proper - include: roles/subscription-manager/pre_tasks/pre_tasks.yml ``` -## Tasks +### roles The bulk of the work is performed in the main.yml for this role. The pre-task play will set a variable which can be checked to contitionally include this role as such: @@ -73,7 +93,7 @@ The bulk of the work is performed in the main.yml for this role. The pre-task pl To register to RHSM Hosted with username and password: ``` -ansible-playbook -i inventory/ose-provision ose-provision.yml -e "rhsm_username=vvaldez rhsm_password=hunter2" +ansible-playbook -i inventory/ose-provision ose-provision.yml -e "rhsm_username=vvaldez" ``` To register to a Satellite server with an activation key: @@ -82,4 +102,4 @@ To register to a Satellite server with an activation key: ansible-playbook -i inventory/ose-provision ose-provision.yml -e "rhsm_satellite=satellite.example.com rhsm_org=example_org rhsm_activationkey=rhel-7-ose-3-1" ``` -To ignore any Subscription Manager activities, simply do not set any parameters. +To ignore any Subscription Manager activities, simply do not set any parameters. When prompted for the password, hit **Enter** to set a blank password. -- cgit v1.2.3 From 39f973fcfd40fde18f5e92259d05e4ba6b30e22e Mon Sep 17 00:00:00 2001 From: Vinny Valdez Date: Fri, 8 Apr 2016 18:44:23 -0500 Subject: Remove vars_prompt, add info to README to re-enable and for ansible-vault --- roles/subscription-manager/README.md | 91 ++++++++++++++++++++++++++++-------- 1 file changed, 71 insertions(+), 20 deletions(-) (limited to 'roles/subscription-manager/README.md') diff --git a/roles/subscription-manager/README.md b/roles/subscription-manager/README.md index a5dd1ac44..748de282c 100644 --- a/roles/subscription-manager/README.md +++ b/roles/subscription-manager/README.md @@ -20,7 +20,48 @@ Default: none Subscription Manager password. Required for RHSM Hosted. Can be optionally used for Satellite, but it may be better to use **rhsm_activationkey** for this. -NOTE: This variable is prompted for at the start of the playbook run. This is for security purposes so the password is not left in the command history. If specified on the command-line or set in a variable file it will be ignored and the value captured from the prompt will overwrite it instead. +NOTE: If this variable is specified on the command-line or set in a variable file it may leave your password exposed. For this reason you may perfer to use an Activation Key if using Satellite. For RHSM Hosted, your password must be specified. There are two ways to provide the password to the Ansible playbook without exposing it to prying eyes. + +1. The first method is to use a **vars_prompt** to collect the password up front one time for the playbook. Ansible will not display the password if the prompt is configured as **private** and the task will not display the password on the CLI. This is the a good method as it supports automating the task to every host with only one password entry. To enable **vars_prompt** add the following to the very top of your playbook after the **hosts** declaration and before any **pre_tasks** section: + + ``` + - hosts: localhost + # Add the following lines after a -hosts: declaration and before pre_tasks: + # Start of vars_prompt code block + vars_prompt: + - name: "rhsm_password" + prompt: "Subscription Manager password" + confirm: yes + private: yes + # End of vars_prompt code block + pre_tasks: + ``` + +2. A second method is to use an encrypted file via **ansible-vault**. This does does not require modifying any code as the previous method, but does require more work to create and encrypt the file. To accomplish this, first create a file containing at least the **rhsm_password** variable (it is also possible to specify additional variables to encrypt them all as well): + 1. Create a file to contain the variable such as **secrets.yml**: + + ``` + --- + rhsm_password: "my_secret_password" + # other variables can optionally be placed here as well + ``` + + 2. Encrypt the file with **ansible-vault**: + + ``` + $ ansible-vault encrypt secrets.yml + Vault password: + Confirm Vault password: + Encryption successful + ``` + + 3. When executing **ansible-playbook** specify **--ask-vault-pass** to be prompted for the decryption password, and also specify the location of the **secrets.yml** as such: + + ``` + $ ansible-playbook --ask-vault-pass --extra-vars=@secrets.yml --extra-vars="rhsm_username=myusername" + ``` + + NOTE: Optionally the file containing the encrypted variables can be decrypted with **ansible-vault** and the **--ask-vault-pass** option omitted to prevent any password prompting (for automated runs) and the file can be encrypted after the run. This can be used if an external system such as Jenkins would handle the decryption/encryption outside of Ansible. Default: none @@ -53,21 +94,24 @@ rhsm_repos='["rhel-7-server-rpms", "rhel-7-server-ose-3.1-rpms", "rhel-7-server- Default: none ## Calling This Role -Calling this role requires adding a **vars_prompt**, **pre_tasks**, and **roles** section of a play +Calling this role is done at both **pre_tasks** and **roles** sections of a playbook and optionally a **vars_prompt**. ### vars_prompt -Unfortunately **vars_prompt** can only be used at the play level before role tasks are executed, so this is the only place it can go. See http://stackoverflow.com/questions/25466675/ansible-to-conditionally-prompt-for-a-variable +Unfortunately **vars_prompt** can only be used at the play level before role tasks are executed, so this is the only place it can go. It also cannot be shown conditionally. For this reason it is not included in this role by default. A better method may be using a file containing the password variable encrypted with **ansible-vault**. See the **rhsm_password** section for more details. -Add a prompt to capture **rhsm_password** +To Add a prompt to capture **rhsm_password**: ``` - hosts: localhost + # Add the following lines after a -hosts: declaration and before pre_tasks: + # Start of vars_prompt code block vars_prompt: - # Unfortunately vars_prompt can only be used at the play level before role tasks, so this is the only place it can go. See http://stackoverflow.com/questions/25466675/ansible-to-conditionally-prompt-for-a-variable - name: "rhsm_password" - prompt: "Subscription Manager password (enter blank if using rhsm_activationkey or to disable registration)" + prompt: "Subscription Manager password" confirm: yes private: yes + # End of vars_prompt code block + pre_tasks: ``` ### pre-tasks @@ -75,8 +119,8 @@ Add a prompt to capture **rhsm_password** A number of variable checks are performed before any tasks to ensure the proper parameters are set. To include these checks call the pre_task yaml before any roles: ``` - pre_tasks: - - include: roles/subscription-manager/pre_tasks/pre_tasks.yml +pre_tasks: +- include: roles/subscription-manager/pre_tasks/pre_tasks.yml ``` ### roles @@ -84,22 +128,29 @@ A number of variable checks are performed before any tasks to ensure the proper The bulk of the work is performed in the main.yml for this role. The pre-task play will set a variable which can be checked to contitionally include this role as such: ``` - roles: - - { role: subscription-manager, when: hostvars.localhost.rhsm_register, tags: 'subscription-manager' } +roles: + - { role: subscription-manager, when: hostvars.localhost.rhsm_register, tags: 'subscription-manager' } ``` -## Running the Playbook +## Running Playbooks with this Role -To register to RHSM Hosted with username and password: +- To register to RHSM Hosted or Satellite with a username and plain text password (NOTE: This may retain your password in your CLI history): -``` -ansible-playbook -i inventory/ose-provision ose-provision.yml -e "rhsm_username=vvaldez" -``` + ``` + $ ansible-playbook --extra-vars="rhsm_username=vvaldez rhsm_password=my_secret_password " + ``` -To register to a Satellite server with an activation key: +- To register to RHSM Hosted or Satellite with username and an encrypted file containing the password: -``` -ansible-playbook -i inventory/ose-provision ose-provision.yml -e "rhsm_satellite=satellite.example.com rhsm_org=example_org rhsm_activationkey=rhel-7-ose-3-1" -``` + ``` + $ ansible-playbook --ask-vault-pass --extra-vars=@secrets.yml --extra-vars="rhsm_username=myusername" + + ``` + +- To register to a Satellite server with an activation key: + + ``` + $ ansible-playbook --extra-vars="rhsm_satellite=satellite.example.com rhsm_org=example_org rhsm_activationkey=rhel-7-ose-3-1 " -To ignore any Subscription Manager activities, simply do not set any parameters. When prompted for the password, hit **Enter** to set a blank password. + ``` +- To ignore any Subscription Manager activities, simply do not set any parameters. -- cgit v1.2.3