Template paths

[Joe Adams]

I tried asking the IRC channel but I didn't get any responses so I figure that the mailing list might be better suited to this question. I'm trying to build an extensible iptables template. All of my hosts will need some amount of custom rules to be added so I feel that extending a template would be a great way to achieve this. My base template looks like this:

#roles/common/templates/iptables.j2

{% block nat %}

{% endblock nat %}

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

# SSH

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

{% block role_rules %}

{% endblock role_rules %}

# Drop All

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

So then I created a template for another host to add it's role specific information in. This template looks like this:

{% extends "roles/common/templates/iptables.j2" %}

{% block role_rules %}

-A INPUT -m state --state NEW -m tcp -p tcp --dport 9000 -j ACCEPT

{% endblock role_rules %}

This was working until I moved my playbooks into a folder to organize them. Now I can't seem to fix the path to make the template extends tag work. I even tried an absolute path. 

Here's my directory structure:

ansible/

    ansible.cfg

    hosts/

        dev

        qa

        groupvars/

            dev

            qa

    playbooks/

        roles/

            common.yml

            roleA.yml

            roleB.yml

    roles/

        common/

            templates/

                iptables.j2

            tasks/

                main.yml

        roleA/

            templates/

                iptables.j2

            tasks/

                main.yml

I keep getting this error when I get to the play that templates the iptables file:

{'msg': 'AnsibleError: file: /path/to/ansible/roles/vickyvale/templates/iptables.j2, error: Cannot find/not allowed to load (include) template /path/to/ansible/roles/common/templates/iptables.j2', 'failed': True}

[John Favorite]

permissions issue?

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/77a802c6-b3a5-4895-8430-700f99daf0f1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Michael DeHaan]

For starters, what ansible version are you using?

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAKsMCETohhhtbr79k8cgqm%2B%3DqxM-Fjytc-Kz_jbnimxQ456cJg%40mail.gmail.com.

[Joe Adams]

I originally though it might be permissions, but both templates are 0664 with my account being owner. 

I'm using ansible version 1.7.2

[Joe Adams]

Is there somewhere that documents what paths are searched when inside a template or in include calls from within a template? I can't find much information about this at all. 

[Brian Coca]

It looks for the file in the "base" directory or in the templates/ subdirectory. The "base" directory is the directory of the current play or role.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c2534bbb-8eaa-4875-9168-d1d6df1d57f1%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Brian Coca

[Joe Adams]

So is there no way to include from a folder other than the current role's folder? Is there no way to share/extend templates between roles?

[Joe Adams]

So is there no way of including or extending templates from other roles? It would seem that this is a really powerful feature of the templating language that would make many configurations more versatile and powerful. Is what I'm trying to do not possible with Ansible?

On Monday, October 27, 2014 4:25:33 PM UTC-4, Brian Coca wrote:

[Brian Coca]

assuming all roles are in the same directory, you could do relative paths to other roles' template directory.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a1db82ee-fd0d-4fb4-8bc8-6c488df27a7a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Brian Coca

[Joe Adams]

I've tried that but I can't seem to get it to work. Here are the paths I've tried so far:

common/templates/iptables.j2

../common/templates/iptables.j2

../../common/templates/iptables.j2

../../../common/templates/iptables.j2

/absolute/path/to/common/templates/iptables.j2

I get the same error message for all of them. 

[Brian Coca]

hmm, I've only tested this by invoking the templates through the modules (in that case ../../common/templates/iptables.j2 should work).

 I need to check env when calling template to see the base path (probably playbook relative) for doing the includes from inside the template engine.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d835065f-7aba-4299-9477-b080ac5fa749%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Brian Coca

[Joe Adams]

After some more playing, I found that if I move my roles/ directory into the folder with the playbooks, things work like they used to work. However, if I move to roles/ directory anywhere higher in the hierarchy than the playbook, it seems that the path can not be resolved inside the template. 

I have decided to again reorganize my code/configs so that I can put the roles/ directory parallel to all the playbooks. It's slightly less ideal as the number of playbooks grow, but it maintains all needed functionality. If there's a better suggestion, I would be all for it. 

[randy....@level12.io]

I've had the same problem.  There is an issue for it:

https://github.com/ansible/ansible/issues/7106

and I have created a patch that will also use the roles directory as a base for the lookups:

https://github.com/ansible/ansible/pull/9933

However, there are 300+ pull requests sitting out there, I'm a bit bummed that it may not get any attention.

[Michael DeHaan]

Everything is going to get attention, the question is simply what gets attention next :)

It might help if people quit telling others how good Ansible is, and such.  </kidding>

Ultimately we do admit we are concentrating on things that affect the most folks first.

--

You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/7815f7bb-c68f-4ed6-aeb6-a6a9c7abb890%40googlegroups.com.

[Randy Syring]

Michael,

I understand, success always brings with it a requirement to priorities.

My pull request is only five lines and I believe pretty benign.  Anything I can do to make it more likely to get merged in?

https://github.com/ansible/ansible/pull/9933/files

Randy Syring
Chief Executive Developer
Direct: 502.276.0459
Office: 812.285.8766

You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/hLBux9z4JbI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgy7ct6_B3hMbqmHYSHM8KqdS53u1Bp%2B7Fc497cpPYg3EA%40mail.gmail.com.

[Michael DeHaan]

This is in template.py which is going to be superceeded by the v2 tree, unfortunately.

We are unlikely to release this file again in it's current state.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/54AAE8F8.1010304%40level12.io.

[Randy Syring]

Can you point me to the comparable file in the v2 tree?  If you think you would approve a similar logic change, I'll work on making it.  Or, maybe this issue is already addressed in v2?

Randy Syring
Chief Executive Developer
Direct: 502.276.0459
Office: 812.285.8766

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgy2M3iuSXbzWDhXat%3DT%3DE4fLEYwtBarJkX5880dT9VZAA%40mail.gmail.com.

[Joe Adams]

I'm very glad that someone else has run into the same issue. That makes me feel that my use isn't totally off the wall. 

This file looks to be the one you'll need but it's pretty empty at the moment. I don't think that v2 is mature enough at the moment to accept any changes because most of it isn't functional yet from the looks of the code. 

https://github.com/ansible/ansible/blob/devel/v2/ansible/executor/template_engine.py

I would think that it would actually do a lot of good merging this change into the current tree whether or not it gets released. It can always be run from a git checkout if the feature is critical. When the template engine gets reworked for v2, these changes or considerations would be more visible to whoever makes the code change. Just my 2 cents, but I hope it helps. 

[Michael DeHaan]

v2 is not open for submissions just yet, plugins are in progress -- we anticipate this should be ready in about a month or so for helping testing and development.   There will be an analogous file in the action_plugins tree, called template.py, and be pretty similar, just a bit nicer.

The main parts are cleaning up the other pieces of code that it uses and touches it.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/008f0a65-ff3a-4d77-853b-23081d402e83%40googlegroups.com.