ansible replace with_items prepends the letter 'u'

20 views
Skip to first unread message

expectan...@gmail.com

unread,
May 4, 2018, 11:55:19 AM5/4/18
to Ansible Project
I'm trying to use the replace module to update SSL ciphers and seem to be running into a Unicode issue. 

The code:

---
- hosts: all
  gather_facts: False
  become: True
  vars:
    text_for_EL6:
      - { regexp: '^KexAlgorithms', line: 'KexAlgorithms diffie-hellman-group-exchange-sha256' }
      - { regexp: '^MACs', line: 'MACs hmac-sha2-512,hmac-sha2-256' }
      - { regexp: '^Ciphers', line: 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' }
    text_for_EL7:
      - { regexp: '^KexAlgorithms', line: 'KexAlgorithms curve255...@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256' }
      - { regexp: '^Ciphers', line: 'Ciphers chacha20...@openssh.com,aes25...@openssh.com,aes12...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' }
      - { regexp: '^MACs', line: 'MACs hmac-sha...@openssh.com,hmac-sha...@openssh.com,umac-1...@openssh.com,hmac-sha2-512,hmac-sha2-256,umac...@openssh.com' }

  tasks:
  - name: check and store ssh version
    shell: rpm -qa openssh
    register: ssh_version_result

  - name: Set ciphers for EL6 - OpenSSL 5.3
    replace:
      backup: yes
      path: /etc/ssh/sshd_config
      regexp: '{{ item.regexp }}'
      replace: '{{ item.line }}'
    when: ssh_version_result.stdout.find('openssh-5') != -1
    with_items:
      - "{{text_for_EL6}}"
    notify: restart sshd

  - name: Set ciphers for EL7 - OpenSSL > 6.7
    replace:
      backup: yes
      path: /etc/ssh/sshd_config
      regexp: '{{ item.regexp }}'
      replace: '{{ item.line }}'
    when: ssh_version_result.stdout.find('openssh-7') != -1
    with_items:
      - "{{text_for_EL7}}"
    notify: restart sshd

  handlers:
  - name: restart sshd
    service: name=sshd state=restarted
...

The result:

$ ansible-playbook update_sshd_ciphers.yml --limit my_server
SUDO password:

PLAY [all] ********************************************************************************************************************************************************************************************************************************

TASK [check ssh versions] *****************************************************************************************************************************************************************************************************************
 [WARNING]: Consider using yum, dnf or zypper module rather than running rpm

changed: [my_server]

TASK [Set ciphers for EL6 - OpenSSL 5.3] **************************************************************************************************************************************************************************************************
skipping: [my_server] => (item={u'regexp': u'^KexAlgorithms', u'line': u'KexAlgorithms diffie-hellman-group-exchange-sha256'})
skipping: [my_server] => (item={u'regexp': u'^MACs', u'line': u'MACs hmac-sha2-512,hmac-sha2-256'})
skipping: [my_server] => (item={u'regexp': u'^Ciphers', u'line': u'Ciphers aes256-ctr,aes192-ctr,aes128-ctr'})

TASK [Set ciphers for EL7 - OpenSSL > 6.7] ************************************************************************************************************************************************************************************************
ok: [my_server] => (item={u'regexp': u'^KexAlgorithms', u'line': u'KexAlgorithms curve255...@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'})
ok: [my_server] => (item={u'regexp': u'^Ciphers', u'line': u'Ciphers chacha20...@openssh.com,aes25...@openssh.com,aes12...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'})
ok: [my_server] => (item={u'regexp': u'^MACs', u'line': u'MACs hmac-sha...@openssh.com,hmac-sha...@openssh.com,umac-1...@openssh.com,hmac-sha2-512,hmac-sha2-256,umac...@openssh.com'})

PLAY RECAP ********************************************************************************************************************************************************************************************************************************
my_server                  : ok=2    changed=1    unreachable=0    failed=0

I am not certain but I think the prepended 'u' is the problem. 

Toshio Kuratomi

unread,
May 4, 2018, 12:05:08 PM5/4/18
to ansible...@googlegroups.com
Is it showing up in your sshd_config file or just in the display of what each item was?

-Toshio

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2cd76763-1ad7-4aed-9143-ade59f9d649c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

expectan...@gmail.com

unread,
May 4, 2018, 12:09:15 PM5/4/18
to Ansible Project
I'm not sure what I was thinking but this has nothing to do with the 'u' - the code is working just as expected since these lines do not yet exist. What I needed to use was lineinfile, not replace. Changes highlighted below and it's working now.
 
---
- hosts: all
  gather_facts: False
  become: True
  vars:
    text_for_EL6:
      - { regexp: '^KexAlgorithms', line: 'KexAlgorithms diffie-hellman-group-exchange-sha256' }
      - { regexp: '^MACs', line: 'MACs hmac-sha2-512,hmac-sha2-256' }
      - { regexp: '^Ciphers', line: 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' }
    text_for_EL7:
      - { regexp: '^KexAlgorithms', line: 'KexAlgorithms curve255...@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256' }
      - { regexp: '^Ciphers', line: 'Ciphers chacha20...@openssh.com,aes25...@openssh.com,aes128-g...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' }
      - { regexp: '^MACs', line: 'MACs hmac-sha...@openssh.com,hmac-sha...@openssh.com,umac-1...@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-1...@openssh.com' }

  tasks:
  - name: check and store ssh version
    shell: rpm -qa openssh
    register: ssh_version_result

  - name: Set ciphers for EL6 - OpenSSL 5.3
    lineinfile:
      backup: yes
      path: /etc/ssh/sshd_config
      regexp: '{{ item.regexp }}'
      line: '{{ item.line }}'
    when: ssh_version_result.stdout.find('openssh-5') != -1
    with_items:
      - "{{text_for_EL6}}"
    notify: restart sshd

  - name: Set ciphers for EL7 - OpenSSL > 6.7
    lineinfile:
      backup: yes
      path: /etc/ssh/sshd_config
      regexp: '{{ item.regexp }}'
      line: '{{ item.line }}'
Reply all
Reply to author
Forward
0 new messages