A follow up question after Inconsistent list indent in Ansible/Yaml file. The Ansible hardening task part below includes shell to include commands and the exclamation mark is used there for negating the value. Due to the special usage of exclamation mark in YAML specs, the mark is removed and the shell command negation part is omitted.
# R-238374 UBTU-20-010454
- name: check if ufw.service is installed
shell: ! systemctl list-unit-files | grep "^ufw.service[ \t]\+"
changed_when: False
check_mode: no
register: result
failed_when: result.rc > 1
- name: stigrule_238374_ufw_active
service:
name: ufw.service
enabled: "{{ ubuntu2004STIG_stigrule_238374_ufw_active_Enabled }}"
when:
- ubuntu2004STIG_stigrule_238374_Manage
- result.rc == 0
# R-238374 UBTU-20-010454
- name: check if ufw.service is installed
shell: ! systemctl list-unit-files | grep "^ufw.service[ \t]\+"
changed_when: False
check_mode: no
register: result
failed_when: result.rc > 1
- name: stigrule_238374_ufw_start
service:
name: ufw.service
state: "{{ ubuntu2004STIG_stigrule_238374_ufw_start_State }}"
when:
- ubuntu2004STIG_stigrule_238374_Manage
- result.rc == 0
So the shell: ! systemctl list-unit-files | grep "^ufw.service[ \t]\+" becomes shell: systemctl list-unit-files | grep "^ufw.service[ \t]\+" .
What can be done to leave the exclamation mark as is?
P.S: The solutions below about tags and custom constructors did not work:
Unable to add list member
Python ruamel.yaml dumps tags with quotes
Why I get quotes in the output of yaml file if I use exclamation mark?
Related
I have this simple playbook:
---
- name: JVM Status
shell: "ps -ef | grep {{item}} | grep -v grep | grep {{wasUser}} | wc -l"
loop: "{{jvmStatusList}}"
become: yes
become_user: "{{wasUser}}"
register: statusResult
- debug:
msg: "{{items.item}} is started"
loop: "{{statusResult.results}}"
when: item.stdout != 0
- debug:
msg: "{{item.item}} is stopped"
loop: "{{ statusResult.results }}"
when: item.stdout == 0
...
and when i run it, it doesnt take into account the condition.
I have verified what my item.stdout returns and 2 items are started and 1 is stopped but all three are returned in the first debug while the second one is being skipped by all.
Can anyone help?
thought maybe the problem was because my stdout result was not trimmed. so i tried different syntaxes including item.stdout | trim but no change. Also tried using item.stdout is 1 instead of != 0.
Team, I have a kubeconfig file and i need to compare if context name and current-context are same, if yes, I want to proceed further else fail. below is my shell which i want to integrate and run with ansible.
cat cluster-user.kubeconfig | yq .contexts[0].name```
"site.test.com"
cat cluster-user.kubeconfig | yq .[\"current-context\"]```
"site.test.com"
- name: "GET API server current-context name with YQ.. "
shell: "cat cluster-user.kubeconfig | yq .[\"current-context\"]"
register: string1
ignore_errors: true
- debug:
var: string1.stdout_lines
when: string1.stdout != ''
- name: "GET API server contexts name with YQ.. "
shell: "cat cluster-user.kubeconfig | yq .contexts[0].name"
register: string2
ignore_errors: true
- debug:
var: string2.stdout_lines
when: string2.stdout != ''
- name: "Validate if both string1 and string2 are same, if yes proceed.. "
failed_when: string2.stdout != string1.stdout
output:
on the exact syntax problem.
The offending line appears to be:
- name: "Validate if both string1 and string2 are same, if yes proceed.. "
^ here```
anyhint what am i missing?
Can you try this :
- fail:
msg: "Validate if both string1 and string2 are same, if yes proceed..."
when: "'{{ string2.stdout }}' != '{{ string1.stdout }}'"
failed_when: This is used to fail the particular task when the condition is met. Failed_When Ansible Documentation
fail: This is used to fail the progress with a custom message. Fail Ansible Documentation
I am trying to run a simple Ansible playbook but keep getting the following error and I'm not sure why.
ERROR: register is not a legal parameter of an Ansible Play
Below is the code i am trying to execute
---
- name: Get SELinux sestatus
command: sestatus | grep enforcing | grep 'config file'
register: sestatus
- name: Check if module1.pp exists
stat:
path: bin/module1.pp
register: module1_pp
- name: Disable SELinux if enforcing
sudo: yes
command: "{{ item }}"
with_items:
- setenforce 0
- semodule -i bin/module1.pp
- setsebool -P httpd_can_network_connect 1
when: sestatus.rc == 0 and module1.stat.exists == true
That's your entire playbook? You're missing your hosts and tasks declaration.
- hosts: some_hosts
tasks:
- name: Get SELinux sestatus
command: sestatus | grep enforcing | grep 'config file'
register: sestatus
- name: Check if module1.pp exists
stat:
path: bin/module1.pp
register: module1_pp
- name: Disable SELinux if enforcing
sudo: yes
command: "{{ item }}"
with_items:
- setenforce 0
- semodule -i bin/module1.pp
- setsebool -P httpd_can_network_connect 1
when: sestatus.rc == 0 and module1.stat.exists == true
I am running several shell commands in an ansible playbook that may or may not modify a configuration file.
One of the items in the playbook is to restart the service. But I only want to do this if a variable is set.
I am planning on registering a result in each of the shell tasks, but I do not want to overwrite the variable if it is already set to 'restart_needed' or something like that.
The idea is the restart should be the last thing to go, and if any of the commands set the restart variable, it will go, and if none of them did, the service will not be restarted. Here is an example of what I have so far...
tasks:
- name: Make a backup copy of file
copy: src={{ file_path }} dest={{ file_path }}.{{ date }} remote_src=true owner=root group=root mode=644 backup=yes
- name: get list of items
shell: |
grep <file>
register: result
- name: output will be 'restart_needed'
shell: |
NUM=14"s"; if [ "${NUM}" != "s" ]; then sed -i "${NUM}/no/yes/g" {{ file_path }}; echo "restart_needed"; else echo "nothing_changed" ; fi
with_items: "{{ result.stdout_lines }}"
register: output
- name: output will be 'nothing_changed'
shell: |
NUM="s"; if [ "${NUM}" != "s" ]; then sed -i "${NUM}/no/yes/g" {{ file_path }}; echo "restart_needed"; else echo "nothing_changed" ;; fi
with_items: "{{ result.stdout_lines }}"
register: output
- name: Restart service
service: name=myservice enabled=yes state=restarted
In the above example, the variable output will be set to restart_needed after the first task but then will be changed to 'nothing_changed' in the second task.
I want to keep the variable at 'restart_needed' if it is already there and then kick off the restart service task only if the variable is set to restart_needed.
Thanks!
For triggering restarts, you have two options: the when statement or handlers.
When statement example:
tasks:
- name: check if string "foo" exists in somefile
shell: grep -q foo somefile
register: result
- name: restart service
service:
name: myservice
enabled: yes
state: restarted
when: result.rc == 0
Handlers example:
tasks:
- name: check if string "foo" exists in somefile
shell: grep -q foo somefile
register: result
changed_when: "result.rc == 0"
notify: restart service
handlers:
- name: restart service
service:
name: myservice
enabled: yes
state: restarted
In Ansible I have two separate tasks to get the list of existing services for redhat 6 and 7, they register to a variable, then I have another task that stops those services, if I use the same variable it gets overwritten by the last task, so it does not stop anything.
Is there a way of distinguishing between the two results? and yet only use one task to stop the services? I tried dynamic var names or creating a dictionary, but none work.
thanks
- name: Get registered services
command: bash -c "chkconfig --list | awk '{print $1}'"
register: loaded_services_{{ansible_distribution_major_version}}
when: (( ansible_os_family == "RedHat" ) and ( ansible_distribution_major_version == "6" ))
changed_when: False
tags: test
- name: Get registered services
command: bash -c "systemctl list-unit-files | grep enabled | cut -d. -f1"
register: loaded_services_{{ansible_distribution_major_version}}
when: (( ansible_os_family == "RedHat" ) and ( ansible_distribution_major_version == "7" ))
changed_when: False
tags: test
- name: shutdown unnecessary services
service: name={{ item }} enabled=no state=stopped
with_items: "{{ disable_services | intersect(loaded_services_{{ansible_distribution_major_version}}.stdout_lines)}}"
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "6"
tags:
- harden
- test
ignore_errors: yes
Try with blocks, first in this way:
- block:
- name: Get registered services
command: bash -c "chkconfig --list | awk '{print $1}'"
register: loaded_services
changed_when: False
tags: test
when: (( ansible_os_family == "RedHat" ) and ( ansible_distribution_major_version == "6" ))
- block:
- name: Get registered services
command: bash -c "systemctl list-unit-files | grep enabled | cut -d. -f1"
register: loaded_services
changed_when: False
tags: test
when: (( ansible_os_family == "RedHat" ) and ( ansible_distribution_major_version == "7" ))
- name: shutdown unnecessary services
service: name={{ item }} enabled=no state=stopped
with_items: "{{ disable_services | intersect(loaded_services.stdout_lines)}}"
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "6"
tags:
- harden
- test
ignore_errors: yes
And if doesn´t work, try in this other way:
- block:
- name: Get registered services
command: bash -c "chkconfig --list | awk '{print $1}'"
register: loaded_services
changed_when: False
tags: test
- name: shutdown unnecessary services
service: name={{ item }} enabled=no state=stopped
with_items: "{{ disable_services | intersect(loaded_services.stdout_lines)}}"
tags:
- harden
- test
ignore_errors: yes
when: (( ansible_os_family == "RedHat" ) and ( ansible_distribution_major_version == "6" ))
- block:
- name: Get registered services
command: bash -c "systemctl list-unit-files | grep enabled | cut -d. -f1"
register: loaded_services
changed_when: False
tags: test
- name: shutdown unnecessary services
service: name={{ item }} enabled=no state=stopped
with_items: "{{ disable_services | intersect(loaded_services.stdout_lines)}}"
tags:
- harden
- test
ignore_errors: yes
when: (( ansible_os_family == "RedHat" ) and ( ansible_distribution_major_version == "7" ))