-
Notifications
You must be signed in to change notification settings - Fork 146
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
make tasks dynamic #194
make tasks dynamic #194
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm okay with this.
This breaks --list-tasks and --tags=cat1,2,3. Also, even ignoring that, we'd have to add tags: always to allow continued use of --tags RHEL-07-XXXXXX |
When writing a playbook that includes both RHEL6 and RHEL7, I've found it most successful to have the 6 and 7 roles in separate plays, specifically to avoid collusion of handlers, but also it has the side effect of not evaluating each RHEL6 task on RHEL7, and vice versa, likely solving your issue. |
Ah never realized the tags problem, yeah that's not good. @tb3088 have you attempted to use the roles in separate plays (within the same playbook)? |
my novice status with Ansible is showing... I split my playbook into separate plays. |
I was hoping to do something like this but the 2 roles (rhel6 and 7) have all their variable names prepended with the role name. If they were all standardized (they're not) and stripped of OS and revision specifiers (eg. rhel6stig_cat1 -> stig_cat1, rhel_07_021021 -> stig_021021) then it would be straight-forward, no?
|
The variable names in each role are named that way so that they stay namespaced to the role. In Ansible if you have two different roles included in a playbook and those roles have a variable named the same one of the values will overwrite the other. See: ansible/ansible#2796 For the other stuff I plan to do some testing to see what you are trying to accomplish and whether there is some improvements that can be made. I too dislike the skipped task output but I'm not sure there is a way around it since we still want tags to work the way they do/etc. |
wow, I didn't realize Vars were not natively name-spaced. I'm coming from Chef and Puppet so of course they would be... |
ANSIBLE_STDOUT_CALLBACK=skippy will hide the skipped tasks from output. Switching to a dynamic include would only improve the case of running a subset of the role based on category. I'd recommend explicitly noting that running multiple lockdown roles in the same play is not supported. Otherwise, you end up calling RHEL6 handlers on RHEL7 hosts and vice versa. If you really want them in the same play, use the dynamic include_role to achieve your goals wrt skipped tasks, and make that include_role dependent on os_family. |
…p excessive evaluation" This reverts commit 0f7f7b9.
What @jamescassell said about using @jamescassell should we consider namespacing handlers or putting OS conditionals on each handler to avoid this issue? Example playbook below: ---
- name: Apply STIG
hosts: all
become: yes
tasks:
- name: Apply STIG
include_role:
name: "RHEL{{ansible_facts['distribution_major_version']}}-STIG" |
I haven't tested, but I suspect your example playbook would do what most users would expect and only pull in handlers for the appropriate OS. I wouldn't jump to namespacing A or conditionalizing handlers unless we really have to... |
I'm getting closer... Looks like some kind of variable scoping problem?
I checked out the Git repo (a submodule) as 'RedHat-#' to follow Ansible Facts values. |
@jamescassell Nope in my example play the RHEL7 handlers run on the RHEL6 host unfortunately. Using @tb3088 In your example gist you have 3 separate plays in a single file...which is the correct approach to avoid the handler problem for now, except the If you want to set/use the vars like that then you should create a file like |
After much "learning" with Ansible, I've settled on the following. If you note, I introduced my own topical variables with allow me to get some inkling as to what behavior I'm modifying. It won't scale too far but I don't expect to have to maintain too many divergent items. https://gist.github.com/tb3088/561d4bc2cee6f32e8da7efb603b04dd6 |
@tb3088 I'm going to close this PR since you've worked out the method to accomplish what you need! |
The Example playbook in the docs is a little light. Would there be merit to including a section of mine that would help others figure it out more readily, or was my problem my lack of experience with Ansible and therefore the correct solution being RTFM? Also, does it make sense to standardize variables in the form header.topic.sub-item instead of header_topic.sub-item? eg. rhel7stig_password_complexity.maxrepeat -> rhel7stig.password.complexity.maxrepeat? |
@tb3088 For the first part...yes we are working on better docs for the role and we plan to put more detailed examples of usage in the https://github.com/ansible/ansible-lockdown repo. For the variable part...I'm not sure it makes sense to have rhel7stig_password_complexity:
maxrepeat: 24
somethingelse: 111 vs rhel7stig:
password:
complexity:
maxrepeat: 4
soemthingelse: 111 |
I have a general hardening Playbook which has both RHEL6 and RHEL7 roles in the hierarchy which should be perfectly valid and reasonable. The use of 'import_tasks' forcibly adds the items and causes them to be evaluated individually only to be skipped by virtue of WHEN pre-conditions higher up. Changing to 'include_tasks' dramatically speeds up Ansible run time.