Containerized Ansible CLI with additional tools and packages
Containerized Ansible CLI.
Contains additional tools/packages (s. Dockerfile).
Place the docker-compose.yml into your Ansible project and run
$ docker-compose run ansible
While using SSH key authentication method to access remote resources, ensure that the encrypted private
key is located at the .ssh/id_rsa path within the user directory.
$HOME/.ssh/id_rsa$USERPROFILE/.ssh/id_rsaAfter starting the Ansible container the key passphrase will be prompted.
$ docker-compose run ansibleStarting SSH Agent.Enter passphrase for /root/.ssh/id_rsa:
Ansible Vault allows to keep sensitive data like
passwords or keys encrypted. It supports encryption of whole files as well as single variables.
To clearly separate
and restrict access to different inventories/environments multiple Ansible Vault passwords are indispensable.
When operating Ansible playbooks frequently, typing the Vault password on every execution can be cumbersome, especially
with multiple environments in place.
While offering a possibility to reference password files, Ansible Vault does not provide a convenient feature to create or
manage those, apart from the fact that an official integration into a password manager like
Gnome-Keyring doesn’t exist.
To overcome the limitations of the status quo a convenient method to manage multiple Ansible Vault password
files is provided.
Initially an encrypted password file for every inventory/environment must be created using a personal master and environment
related Ansible Vault password. This is a one time operation per inventory/environment. Add .vault-password to thegitignore patterns to prevent accidental check-ins.
$ cd inventories/prod$ ansible-encrypt-vault-passwordEnter the master password for .vault-password files:Enter the vault password for prod inventory:Created /ansible/inventories/prod/.vault-password.
As a result master password encrypted inventories/prod/.vault-password file that contains the environment Ansible Vault
password is created.
The encrypted password files are loaded when a new container is started.
$ docker-compose run ansible...Decrypting Ansible Vault passwords.Enter decryption password for .vault-password files:Decrypting /ansible/inventories/prod/.vault-password.
Alternatively encrypted password files may be reloaded within existing container.
$ cd /ansible$ ansible-vault-initDecrypting Ansible Vault passwords.Enter decryption password for .vault-password files:Decrypting /ansible/inventories/prod/.vault-password.
Secret values are encrypted per inventory (e.g. inventory prod, secret value foo).
$ ansible-vault encrypt_string --encrypt-vault-id 'prod' 'foo'!vault |$ANSIBLE_VAULT;1.2;AES256;production-de336363326262643166613637313938613337643133613262623136643364353666663066646364343339643439333138303035373866363265326132653363380a303937343963303530666337396561316263346331623237313235393933303666333863383934396133323733623831373839306163623066383536323139610a6164346436646134353563653563306364356336663538646264396263356664
Bigger Ansible projects frequently utilize Ansible Galaxy Roles that can be installed using a requirements.yml file.
Roles installation can be triggered from the container.
$ cd /ansibleansible-galaxy-initSkipping Ansible Galaxy roles installation. No "/ansible/roles/requirements.yml" file present.
It’s a tiny wrapper for ansible-galaxy install -r /ansible/roles/requirements.yml that ensures that the requirements.yml
is placed into the right location expected by Ansible Tower.
You can run the locally build image with:
docker-compose run ansible
To rebuild the image run:
docker-compose build
See the LICENSE.md file for details