Multiple plays in the same playbook resolve group variables incorrectly

17 views
Skip to first unread message

Behrang

unread,
May 27, 2018, 10:55:09 PM5/27/18
to Ansible Project
Source code: https://github.com/behrangsa/sample-ansible-role

Background:

I have three different environments: test, staging, and prod and 3 applications that I deploy to them.

In staging and prod, each application have a dedicated server. In test, they all will be deployed to the same box.

The test inventory looks like this:

.
├── group_vars
│   ├── accounting.yml
│   ├── all.yml
│   ├── payroll.yml
│   └── timesheets.yml
└── hosts

The contents of these files are shown here:

hosts

[timesheets]
test.vagrant.local

[payroll]
test.vagrant.local

[accounting]
test.vagrant.local

all.yml

---
sensu_checks_uninstall:
  - basename: check-legacy-process


accounting.yml

---
sensu_checks_install:
  - name: check-accounting-process
    command: "/etc/sensu/plugins/community/check-procs.rb -c 1 -p java.*accounting"

payroll.yml

---
sensu_checks_install:
  - name: check-payroll-process
    command: "/etc/sensu/plugins/community/check-procs.rb -c 1 -p java.*payroll"

timesheets.yml

---
sensu_checks_install:
  - name: check-timesheets-process
    command: "/etc/sensu/plugins/community/check-procs.rb -c 1 -p java.*timesheets"


The sensu-check-role creates a file named "{{ name }}.json" for each item in the sensu_checks_install array.

The playbook looks like this:

---
- hosts: timesheets
  remote_user: vagrant
  sudo: True
  gather_facts: True
  roles:
   - sensu-check-role

- hosts: accounting
  remote_user: vagrant
  sudo: True
  gather_facts: True
  roles:
   - sensu-check-role

- hosts: payroll
  remote_user: vagrant
  sudo: True
  gather_facts: True
  roles:
   - sensu-check-role

I was expecting the playbook to create three files:
  • check-accounting-process.json
  • check-payroll-process.json
  • check-timesheets-process.json

But all the plays resolve the same sensu_checks_install variable and hence overwrite each others generated files and in the end only one file gets created:

↪ ansible-playbook -i inv/test/hosts playbook.yml --private-key vagrant/.vagrant/machines/default/virtualbox/private_key -vv                            12:45:01
ansible-playbook 2.5.3
  config file = /Users/behrang/ansible/ansible.cfg
  configured module search path = [u'/Users/behrang/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/Cellar/ansible/2.5.3/libexec/lib/python2.7/site-packages/ansible
  executable location = /usr/local/bin/ansible-playbook
  python version = 2.7.15 (default, May  1 2018, 16:44:14) [GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.42.1)]
Using /Users/behrang/ansible/ansible.cfg as config file

PLAYBOOK: playbook.yml *****************************************************************************************************************************************
3 plays in playbook.yml

PLAY [timesheets] **********************************************************************************************************************************************

TASK [Gathering Facts] *****************************************************************************************************************************************
task path: /Users/behrang/ansible/playbook.yml:2
ok: [test.vagrant.local]
META: ran handlers

TASK [sensu-check-role : Create checks directory] **************************************************************************************************************
task path: /Users/behrang/ansible/roles/sensu-check-role/tasks/main.yml:2
ok: [test.vagrant.local] => {"changed": false, "gid": 0, "group": "root", "mode": "0755", "owner": "root", "path": "/etc/sensu/conf.d/checks/", "secontext": "unconfined_u:object_r:etc_t:s0", "size": 4096, "state": "directory", "uid": 0}

TASK [sensu-check-role : Uninstall redundant checks] ***********************************************************************************************************
task path: /Users/behrang/ansible/roles/sensu-check-role/tasks/main.yml:7
ok: [test.vagrant.local] => (item={u'basename': u'check-legacy-process'}) => {"changed": false, "item": {"basename": "check-legacy-process"}, "path": "/etc/sensu/conf.d/checks//check-legacy-process.json", "state": "absent"}

TASK [sensu-check-role : Compile checks] ***********************************************************************************************************************
task path: /Users/behrang/ansible/roles/sensu-check-role/tasks/main.yml:13
ok: [test.vagrant.local] => (item={u'command': u'/etc/sensu/plugins/community/check-procs.rb -c 1 -p java.*timesheets', u'name': u'check-timesheets-process'}) => {"ansible_facts": {"check_def": {"name": "check-timesheets-process"}}, "changed": false, "item": {"command": "/etc/sensu/plugins/community/check-procs.rb -c 1 -p java.*timesheets", "name": "check-timesheets-process"}}

TASK [sensu-check-role : Copy checks] **************************************************************************************************************************
task path: /Users/behrang/ansible/roles/sensu-check-role/tasks/main.yml:19
ok: [test.vagrant.local] => (item={'changed': False, '_ansible_no_log': False, 'failed': False, '_ansible_item_result': True, 'item': {u'command': u'/etc/sensu/plugins/community/check-procs.rb -c 1 -p java.*timesheets', u'name': u'check-timesheets-process'}, 'ansible_facts': {u'check_def': {'name': u'check-timesheets-process'}}, '_ansible_ignore_errors': None}) => {"changed": false, "checksum": "4dcc6d84ebf99973919d7676991e2ba2cc5f8736", "dest": "/etc/sensu/conf.d/checks//check-timesheets-process.json", "gid": 0, "group": "root", "item": {"ansible_facts": {"check_def": {"name": "check-timesheets-process"}}, "changed": false, "failed": false, "item": {"command": "/etc/sensu/plugins/community/check-procs.rb -c 1 -p java.*timesheets", "name": "check-timesheets-process"}}, "mode": "0644", "owner": "root", "path": "/etc/sensu/conf.d/checks//check-timesheets-process.json", "secontext": "system_u:object_r:etc_t:s0", "size": 36, "state": "file", "uid": 0}
META: ran handlers
META: ran handlers

PLAY [accounting] **********************************************************************************************************************************************

TASK [Gathering Facts] *****************************************************************************************************************************************
task path: /Users/behrang/ansible/playbook.yml:9
ok: [test.vagrant.local]
META: ran handlers

TASK [sensu-check-role : Create checks directory] **************************************************************************************************************
task path: /Users/behrang/ansible/roles/sensu-check-role/tasks/main.yml:2
ok: [test.vagrant.local] => {"changed": false, "gid": 0, "group": "root", "mode": "0755", "owner": "root", "path": "/etc/sensu/conf.d/checks/", "secontext": "unconfined_u:object_r:etc_t:s0", "size": 4096, "state": "directory", "uid": 0}

TASK [sensu-check-role : Uninstall redundant checks] ***********************************************************************************************************
task path: /Users/behrang/ansible/roles/sensu-check-role/tasks/main.yml:7
ok: [test.vagrant.local] => (item={u'basename': u'check-legacy-process'}) => {"changed": false, "item": {"basename": "check-legacy-process"}, "path": "/etc/sensu/conf.d/checks//check-legacy-process.json", "state": "absent"}

TASK [sensu-check-role : Compile checks] ***********************************************************************************************************************
task path: /Users/behrang/ansible/roles/sensu-check-role/tasks/main.yml:13
ok: [test.vagrant.local] => (item={u'command': u'/etc/sensu/plugins/community/check-procs.rb -c 1 -p java.*timesheets', u'name': u'check-timesheets-process'}) => {"ansible_facts": {"check_def": {"name": "check-timesheets-process"}}, "changed": false, "item": {"command": "/etc/sensu/plugins/community/check-procs.rb -c 1 -p java.*timesheets", "name": "check-timesheets-process"}}

TASK [sensu-check-role : Copy checks] **************************************************************************************************************************
task path: /Users/behrang/ansible/roles/sensu-check-role/tasks/main.yml:19
ok: [test.vagrant.local] => (item={'changed': False, '_ansible_no_log': False, 'failed': False, '_ansible_item_result': True, 'item': {u'command': u'/etc/sensu/plugins/community/check-procs.rb -c 1 -p java.*timesheets', u'name': u'check-timesheets-process'}, 'ansible_facts': {u'check_def': {'name': u'check-timesheets-process'}}, '_ansible_ignore_errors': None}) => {"changed": false, "checksum": "4dcc6d84ebf99973919d7676991e2ba2cc5f8736", "dest": "/etc/sensu/conf.d/checks//check-timesheets-process.json", "gid": 0, "group": "root", "item": {"ansible_facts": {"check_def": {"name": "check-timesheets-process"}}, "changed": false, "failed": false, "item": {"command": "/etc/sensu/plugins/community/check-procs.rb -c 1 -p java.*timesheets", "name": "check-timesheets-process"}}, "mode": "0644", "owner": "root", "path": "/etc/sensu/conf.d/checks//check-timesheets-process.json", "secontext": "system_u:object_r:etc_t:s0", "size": 36, "state": "file", "uid": 0}
META: ran handlers
META: ran handlers

PLAY [payroll] *************************************************************************************************************************************************

TASK [Gathering Facts] *****************************************************************************************************************************************
task path: /Users/behrang/ansible/playbook.yml:16
ok: [test.vagrant.local]
META: ran handlers

TASK [sensu-check-role : Create checks directory] **************************************************************************************************************
task path: /Users/behrang/ansible/roles/sensu-check-role/tasks/main.yml:2
ok: [test.vagrant.local] => {"changed": false, "gid": 0, "group": "root", "mode": "0755", "owner": "root", "path": "/etc/sensu/conf.d/checks/", "secontext": "unconfined_u:object_r:etc_t:s0", "size": 4096, "state": "directory", "uid": 0}

TASK [sensu-check-role : Uninstall redundant checks] ***********************************************************************************************************
task path: /Users/behrang/ansible/roles/sensu-check-role/tasks/main.yml:7
ok: [test.vagrant.local] => (item={u'basename': u'check-legacy-process'}) => {"changed": false, "item": {"basename": "check-legacy-process"}, "path": "/etc/sensu/conf.d/checks//check-legacy-process.json", "state": "absent"}

TASK [sensu-check-role : Compile checks] ***********************************************************************************************************************
task path: /Users/behrang/ansible/roles/sensu-check-role/tasks/main.yml:13
ok: [test.vagrant.local] => (item={u'command': u'/etc/sensu/plugins/community/check-procs.rb -c 1 -p java.*timesheets', u'name': u'check-timesheets-process'}) => {"ansible_facts": {"check_def": {"name": "check-timesheets-process"}}, "changed": false, "item": {"command": "/etc/sensu/plugins/community/check-procs.rb -c 1 -p java.*timesheets", "name": "check-timesheets-process"}}

TASK [sensu-check-role : Copy checks] **************************************************************************************************************************
task path: /Users/behrang/ansible/roles/sensu-check-role/tasks/main.yml:19
ok: [test.vagrant.local] => (item={'changed': False, '_ansible_no_log': False, 'failed': False, '_ansible_item_result': True, 'item': {u'command': u'/etc/sensu/plugins/community/check-procs.rb -c 1 -p java.*timesheets', u'name': u'check-timesheets-process'}, 'ansible_facts': {u'check_def': {'name': u'check-timesheets-process'}}, '_ansible_ignore_errors': None}) => {"changed": false, "checksum": "4dcc6d84ebf99973919d7676991e2ba2cc5f8736", "dest": "/etc/sensu/conf.d/checks//check-timesheets-process.json", "gid": 0, "group": "root", "item": {"ansible_facts": {"check_def": {"name": "check-timesheets-process"}}, "changed": false, "failed": false, "item": {"command": "/etc/sensu/plugins/community/check-procs.rb -c 1 -p java.*timesheets", "name": "check-timesheets-process"}}, "mode": "0644", "owner": "root", "path": "/etc/sensu/conf.d/checks//check-timesheets-process.json", "secontext": "system_u:object_r:etc_t:s0", "size": 36, "state": "file", "uid": 0}
META: ran handlers
META: ran handlers

PLAY RECAP *****************************************************************************************************************************************************
test.vagrant.local         : ok=15   changed=0    unreachable=0    failed=0

Why is Ansible behaving this way? What am I doing wrong here?

Thanks in advance,
Behrang

Behrang

unread,
May 28, 2018, 12:53:31 AM5/28/18
to Ansible Project
Turned out this was expected behavior. From the docs:

It is ok to put systems in more than one group, for instance a server could be both a webserver and a dbserver. If you do, note that variables will come from all of the groups they are a member of. 

In the meantime, I have worked around it by using play vars/var_files. For example:

---
- hosts: timesheets
  remote_user: vagrant
  sudo: True
  gather_facts: False
  vars:
    sensu_checks_install:
      - name: check-timesheets-process
        command: "/etc/sensu/plugins/community/check-procs.rb -c 1 -p java.*timesheets"
  roles:
   - sensu-check-role

- hosts: accounting
  remote_user: vagrant
  sudo: True
  gather_facts: False
  vars:
    sensu_checks_install:
      - name: check-accounting-process
        command: "/etc/sensu/plugins/community/check-procs.rb -c 1 -p java.*timesheets"
  roles:
   - sensu-check-role

- hosts: payroll
  remote_user: vagrant
  sudo: True
  gather_facts: False
  vars:
    sensu_checks_install:
      - name: check-payroll-process
        command: "/etc/sensu/plugins/community/check-procs.rb -c 1 -p java.*payroll"
  roles:
   - sensu-check-role
Reply all
Reply to author
Forward
0 new messages