Эх сурвалжийг харах

Update ansible configuration to be compatible with Ansible 2

Emmanuel Bouthenot 8 жил өмнө
parent
commit
bce175f75c
1 өөрчлөгдсөн 192 нэмэгдсэн , 64 устгасан
  1. 192 64
      ansible.cfg

+ 192 - 64
ansible.cfg

@@ -1,7 +1,7 @@
 # config file for ansible -- http://ansible.com/
 # ==============================================
 
-# nearly all parameters can be overridden in ansible-playbook 
+# nearly all parameters can be overridden in ansible-playbook
 # or with command line flags. ansible will read ANSIBLE_CONFIG,
 # ansible.cfg in the current working directory, .ansible.cfg in
 # the home directory or /etc/ansible/ansible.cfg, whichever it
@@ -11,18 +11,19 @@
 
 # some basic default values...
 
-hostfile       = /etc/ansible/hosts
-library        = /usr/share/ansible
-remote_tmp     = $HOME/.ansible/tmp
-pattern        = *
-forks          = 25
-poll_interval  = 15
-sudo_user      = root
+#inventory      = /etc/ansible/hosts
+#library        = /usr/share/my_modules/
+#remote_tmp     = $HOME/.ansible/tmp
+#local_tmp      = $HOME/.ansible/tmp
+#forks          = 5
+#poll_interval  = 15
+#sudo_user      = root
 #ask_sudo_pass = True
 #ask_pass      = True
-transport      = smart
-remote_port    = 22
-module_lang    = C
+#transport      = smart
+#remote_port    = 22
+#module_lang    = C
+#module_set_locale = True
 
 # plays will gather facts by default, which contain information about
 # the remote system.
@@ -30,7 +31,19 @@ module_lang    = C
 # smart - gather by default, but don't regather if already gathered
 # implicit - gather by default, turn off with gather_facts: False
 # explicit - do not gather by default, must say gather_facts: True
-gathering = implicit
+gathering = smart
+
+# by default retrieve all facts subsets
+# all - gather all subsets
+# network - gather min and network facts
+# hardware - gather hardware facts (longest facts to retrieve)
+# virtual - gather min and virtual facts
+# facter - import facts from facter
+# ohai - import facts from ohai
+# You can combine them using comma (ex: network,virtual)
+# You can negate them using ! (ex: !hardware,!facter,!ohai)
+# A minimal set of facts is always gathered.
+#gather_subset = all
 
 # additional paths to search for roles in, colon separated
 #roles_path    = /etc/ansible/roles
@@ -38,22 +51,35 @@ gathering = implicit
 # uncomment this to disable SSH key host checking
 #host_key_checking = False
 
+# change the default callback
+stdout_callback = skippy
+# enable additional callbacks
+#callback_whitelist = timer, mail
+
+# Determine whether includes in tasks and handlers are "static" by
+# default. As of 2.0, includes are dynamic by default. Setting these
+# values to True will make includes behave more like they did in the
+# 1.x versions.
+#task_includes_static = True
+#handler_includes_static = True
+
 # change this for alternative sudo implementations
-sudo_exe = sudo
+#sudo_exe = sudo
 
-# what flags to pass to sudo
-#sudo_flags = -H
+# What flags to pass to sudo
+# WARNING: leaving out the defaults might create unexpected behaviours
+#sudo_flags = -H -S -n
 
 # SSH timeout
-timeout = 10
+#timeout = 10
 
 # default user to use for playbooks if user is not specified
 # (/usr/bin/ansible will use current user as default)
-remote_user = root
+#remote_user = root
 
 # logging is off by default unless this path is defined
 # if so defined, consider logrotate
-#log_path = /var/log/ansible.lo
+#log_path = /var/log/ansible.log
 
 # default module name for /usr/bin/ansible
 #module_name = command
@@ -68,32 +94,53 @@ remote_user = root
 # this can also be set to 'merge'.
 #hash_behaviour = replace
 
+# by default, variables from roles will be visible in the global variable
+# scope. To prevent this, the following option can be enabled, and only
+# tasks and handlers within the role will see the variables there
+#private_role_vars = yes
+
 # list any Jinja2 extensions to enable here:
 #jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n
 
-# if set, always use this private key file for authentication, same as 
+# if set, always use this private key file for authentication, same as
 # if passing --private-key to ansible or ansible-playbook
 #private_key_file = /path/to/file
 
-# format of string {{ ansible_managed }} available within Jinja2 
+# If set, configures the path to the Vault password file as an alternative to
+# specifying --vault-password-file on the command line.
+#vault_password_file = /path/to/vault_password_file
+
+# format of string {{ ansible_managed }} available within Jinja2
 # templates indicates to users editing templates files will be replaced.
 # replacing {file}, {host} and {uid} and strftime codes with proper values.
-ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
+#ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
+# This short version is better used in templates as it won't flag the file as changed every run.
+#ansible_managed = Ansible managed: {file} on {host}
 
 # by default, ansible-playbook will display "Skipping [host]" if it determines a task
-# should not be run on a host.  Set this to "False" if you don't want to see these "Skipping" 
-# messages. NOTE: the task header will still be shown regardless of whether or not the 
+# should not be run on a host.  Set this to "False" if you don't want to see these "Skipping"
+# messages. NOTE: the task header will still be shown regardless of whether or not the
 # task is skipped.
 display_skipped_hosts = False
 
-# by default (as of 1.3), Ansible will raise errors when attempting to dereference 
+# by default, if a task in a playbook does not include a name: field then
+# ansible-playbook will construct a header that includes the task's action but
+# not the task's args.  This is a security feature because ansible cannot know
+# if the *module* considers an argument to be no_log at the time that the
+# header is printed.  If your environment doesn't have a problem securing
+# stdout from ansible-playbook (or you have manually specified no_log in your
+# playbook on all of the tasks where you have secret information) then you can
+# safely set this to True to get more informative messages.
+#display_args_to_stdout = False
+
+# by default (as of 1.3), Ansible will raise errors when attempting to dereference
 # Jinja2 variables that are not set in templates or action lines. Uncomment this line
 # to revert the behavior to pre-1.3.
 #error_on_undefined_vars = False
 
 # by default (as of 1.6), Ansible may display warnings based on the configuration of the
-# other conditions that should be resolved if possible.
 # system running ansible itself. This may include warnings about 3rd party packages or
+# other conditions that should be resolved if possible.
 # to disable these warnings, set the following value to False:
 #system_warnings = True
 
@@ -105,59 +152,112 @@ display_skipped_hosts = False
 # (as of 1.8), Ansible can optionally warn when usage of the shell and
 # command module appear to be simplified by using a default Ansible module
 # instead.  These warnings can be silenced by adjusting the following
-# setting or adding warn=yes or warn=no to the end of the command line 
+# setting or adding warn=yes or warn=no to the end of the command line
 # parameter string.  This will for example suggest using the git module
 # instead of shelling out to the git command.
 # command_warnings = False
 
 
 # set plugin path directories here, separate with colons
-action_plugins     = /usr/share/ansible_plugins/action_plugins
-callback_plugins   = /usr/share/ansible_plugins/callback_plugins
-connection_plugins = /usr/share/ansible_plugins/connection_plugins
-lookup_plugins     = /usr/share/ansible_plugins/lookup_plugins
-vars_plugins       = /usr/share/ansible_plugins/vars_plugins
-filter_plugins     = /usr/share/ansible_plugins/filter_plugins
+#action_plugins     = /usr/share/ansible/plugins/action
+#callback_plugins   = /usr/share/ansible/plugins/callback
+#connection_plugins = /usr/share/ansible/plugins/connection
+#lookup_plugins     = /usr/share/ansible/plugins/lookup
+#vars_plugins       = /usr/share/ansible/plugins/vars
+#filter_plugins     = /usr/share/ansible/plugins/filter
+#test_plugins       = /usr/share/ansible/plugins/test
+#strategy_plugins   = /usr/share/ansible/plugins/strategy
 
 # by default callbacks are not loaded for /bin/ansible, enable this if you
-# want, for example, a notification or logging callback to also apply to 
+# want, for example, a notification or logging callback to also apply to
 # /bin/ansible runs
 #bin_ansible_callbacks = False
 
 
 # don't like cows?  that's unfortunate.
-# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1 
+# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1
 nocows = 1
 
+# set which cowsay stencil you'd like to use by default. When set to 'random',
+# a random stencil will be selected for each task. The selection will be filtered
+# against the `cow_whitelist` option below.
+#cow_selection = default
+#cow_selection = random
+
+# when using the 'random' option for cowsay, stencils will be restricted to this list.
+# it should be formatted as a comma-separated list with no spaces between names.
+# NOTE: line continuations here are for formatting purposes only, as the INI parser
+#       in python does not support them.
+#cow_whitelist=bud-frogs,bunny,cheese,daemon,default,dragon,elephant-in-snake,elephant,eyes,\
+#              hellokitty,kitty,luke-koala,meow,milk,moofasa,moose,ren,sheep,small,stegosaurus,\
+#              stimpy,supermilker,three-eyes,turkey,turtle,tux,udder,vader-koala,vader,www
+
 # don't like colors either?
 # set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1
 #nocolor = 1
 
-# the CA certificate path used for validating SSL certs. This path 
-# should exist on the controlling node, not the target nodes
-# common locations:
-# RHEL/CentOS: /etc/pki/tls/certs/ca-bundle.crt
-# Fedora     : /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
-# Ubuntu     : /usr/share/ca-certificates/cacert.org/cacert.org.crt
-#ca_file_path = 
-
-# the http user-agent string to use when fetching urls. Some web server
-# operators block the default urllib user agent as it is frequently used
-# by malicious attacks/scripts, so we set it to something unique to 
-# avoid issues.
-#http_user_agent = ansible-agent
-
 # if set to a persistent type (not 'memory', for example 'redis') fact values
 # from previous runs in Ansible will be stored.  This may be useful when
 # wanting to use, for example, IP information from one group of servers
 # without having to talk to them in the same playbook run to get their
 # current IP information.
-fact_caching = memory
+#fact_caching = memory
+
 
 # retry files
+# When a playbook fails by default a .retry file will be created in ~/
+# You can disable this feature by setting retry_files_enabled to False
+# and you can change the location of the files by setting retry_files_save_path
+
 #retry_files_enabled = False
 #retry_files_save_path = ~/.ansible-retry
 
+# squash actions
+# Ansible can optimise actions that call modules with list parameters
+# when looping. Instead of calling the module once per with_ item, the
+# module is called once with all items at once. Currently this only works
+# under limited circumstances, and only with parameters named 'name'.
+#squash_actions = apk,apt,dnf,package,pacman,pkgng,yum,zypper
+
+# prevents logging of task data, off by default
+#no_log = False
+
+# prevents logging of tasks, but only on the targets, data is still logged on the master/controller
+no_target_syslog = True
+
+# controls whether Ansible will raise an error or warning if a task has no
+# choice but to create world readable temporary files to execute a module on
+# the remote machine.  This option is False by default for security.  Users may
+# turn this on to have behaviour more like Ansible prior to 2.1.x.  See
+# https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user
+# for more secure ways to fix this than enabling this option.
+#allow_world_readable_tmpfiles = False
+
+# controls the compression level of variables sent to
+# worker processes. At the default of 0, no compression
+# is used. This value must be an integer from 0 to 9.
+var_compression_level = 9
+
+# controls what compression method is used for new-style ansible modules when
+# they are sent to the remote system.  The compression types depend on having
+# support compiled into both the controller's python and the client's python.
+# The names should match with the python Zipfile compression types:
+# * ZIP_STORED (no compression. available everywhere)
+# * ZIP_DEFLATED (uses zlib, the default)
+# These values may be set per host via the ansible_module_compression inventory
+# variable
+module_compression = 'ZIP_DEFLATED'
+
+# This controls the cutoff point (in bytes) on --diff for files
+# set to 0 for unlimited (RAM may suffer!).
+#max_diff_size = 1048576
+
+[privilege_escalation]
+#become=True
+#become_method=sudo
+#become_user=root
+#become_ask_pass=False
+
 [paramiko_connection]
 
 # uncomment this line to cause the paramiko connection plugin to not record new host
@@ -172,44 +272,49 @@ fact_caching = memory
 [ssh_connection]
 
 # ssh arguments to use
-# Leaving off ControlPersist will result in poor performance, so use 
+# Leaving off ControlPersist will result in poor performance, so use
 # paramiko on older platforms rather than removing it
 #ssh_args = -o ControlMaster=auto -o ControlPersist=60s
 ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes
 
 # The path to use for the ControlPath sockets. This defaults to
 # "%(directory)s/ansible-ssh-%%h-%%p-%%r", however on some systems with
-# very long hostnames or very long path names (caused by long user names or 
+# very long hostnames or very long path names (caused by long user names or
 # deeply nested home directories) this can exceed the character limit on
-# file socket names (108 characters for most platforms). In that case, you 
+# file socket names (108 characters for most platforms). In that case, you
 # may wish to shorten the string below.
-# 
-# Example: 
+#
+# Example:
 # control_path = %(directory)s/%%h-%%r
 #control_path = %(directory)s/ansible-ssh-%%h-%%p-%%r
 
-# Enabling pipelining reduces the number of SSH operations required to 
-# execute a module on the remote server. This can result in a significant 
-# performance improvement when enabled, however when using "sudo:" you must 
+# Enabling pipelining reduces the number of SSH operations required to
+# execute a module on the remote server. This can result in a significant
+# performance improvement when enabled, however when using "sudo:" you must
 # first disable 'requiretty' in /etc/sudoers
 #
 # By default, this option is disabled to preserve compatibility with
 # sudoers configurations that have requiretty (the default on many distros).
-# 
-#pipelining = False
+#
+pipelining = True
 
-# if True, make ansible use scp if the connection type is ssh 
+# if True, make ansible use scp if the connection type is ssh
 # (default is sftp)
 #scp_if_ssh = True
 
+# if False, sftp will not use batch mode to transfer files. This may cause some
+# types of file transfer failures impossible to catch however, and should
+# only be disabled if your sftp version has problems with batch mode
+#sftp_batch_mode = False
+
 [accelerate]
-accelerate_port = 5099
-accelerate_timeout = 30
-accelerate_connect_timeout = 5.0
+#accelerate_port = 5099
+#accelerate_timeout = 30
+#accelerate_connect_timeout = 5.0
 
 # The daemon timeout is measured in minutes. This time is measured
 # from the last activity to the accelerate daemon.
-accelerate_daemon_timeout = 30 
+#accelerate_daemon_timeout = 30
 
 # If set to yes, accelerate_multi_key will allow multiple
 # private keys to be uploaded to it, though each user must
@@ -217,3 +322,26 @@ accelerate_daemon_timeout = 30
 # is "no".
 #accelerate_multi_key = yes
 
+[selinux]
+# file systems that require special treatment when dealing with security context
+# the default behaviour that copies the existing context or uses the user default
+# needs to be changed to use the file system dependent context.
+#special_context_filesystems=nfs,vboxsf,fuse,ramfs
+
+# Set this to yes to allow libvirt_lxc connections to work without SELinux.
+#libvirt_lxc_noseclabel = yes
+
+[colors]
+#highlight = white
+#verbose = blue
+#warn = bright purple
+#error = red
+#debug = dark gray
+#deprecate = purple
+#skip = cyan
+#unreachable = red
+#ok = green
+changed = bright yellow
+diff_add = bright green
+diff_remove = bright red
+#diff_lines = cyan