Generating TSIG Keys for Bind server
388 views
Skip to first unread message
Ken Jenney
Oct 22, 2017, 4:02:12 PM10/22/17
to Ansible Project
I need to generate TSIG keys for use by nsupdate. dnssec-keygen creates two files after run:
I need to copy the generated key in one of the files and insert it into a new file (named.conf.local):
My problem is that the grep returns "No such file or directory" even though a grep locally on the system returns the key. I suspect an issue with the regex. The other issue is with the dynamic nature of the variables.
How can I extract the key from the files generated and copy them into the config file?
Kai Stian Olstad
Oct 22, 2017, 4:51:21 PM10/22/17
to ansible...@googlegroups.com
On 22. okt. 2017 22:02, Ken Jenney wrote:
> I need to copy the generated key in one of the files and insert it into a
> new file (named.conf.local):
>
> - name: populate TSIG key config
> command: "grep Key {{ bind_base_zones_path
> }}/tsig/{{item.name}}/K{{item.name}}.*.private | awk '{print $2}'"
> register: 'key-{{ item.name }}'
> with_items: '{{bind_config_master_zones}}'
>
> My problem is that the grep returns "No such file or directory" even though
> a grep locally on the system returns the key. I suspect an issue with the
> regex. The other issue is with the dynamic nature of the variables.
>
> How can I extract the key from the files generated and copy them into the
> config file?
When using pipe and I guess also with wildcard you must use the shell module.
> I need to copy the generated key in one of the files and insert it into a
> new file (named.conf.local):
>
> - name: populate TSIG key config
> command: "grep Key {{ bind_base_zones_path
> }}/tsig/{{item.name}}/K{{item.name}}.*.private | awk '{print $2}'"
> register: 'key-{{ item.name }}'
> with_items: '{{bind_config_master_zones}}'
>
> My problem is that the grep returns "No such file or directory" even though
> a grep locally on the system returns the key. I suspect an issue with the
> regex. The other issue is with the dynamic nature of the variables.
>
> How can I extract the key from the files generated and copy them into the
> config file?
Register doesn't support variables in them, so here you create the literal variable "key-{{ item.name }}".
You can only register to one variable, and since you are using with_items the variable will contain a list, one for each item.
--
Kai Stian Olstad
Ken Jenney
Oct 23, 2017, 10:30:08 AM10/23/17
to Ansible Project
Thanks!
Another question:
If I use with_dict to register the variable how do I access stdout from the shell command:
Kai Stian Olstad
Oct 23, 2017, 10:44:13 AM10/23/17
to ansible...@googlegroups.com
On 23. okt. 2017 16:30, Ken Jenney wrote:
> Thanks!
>
> Another question:
>
> If I use with_dict to register the variable how do I access stdout from the
> shell command:
>
> - name: populate TSIG key config
> command: "grep Key {{ bind_base_zones_path }}/tsig/{{item.k
> <http://item.name/>ey}}/K{{item.k <http://item.name/>ey}}.*.private | awk
> Thanks!
>
> Another question:
>
> If I use with_dict to register the variable how do I access stdout from the
> shell command:
>
> - name: populate TSIG key config
> command: "grep Key {{ bind_base_zones_path }}/tsig/{{item.k
> '{print $2}'"
> register: 'tsig_keys'
> with_items: '{{bind_config_master_zones}}'
>
Well, this task uses with_items and command module.
> register: 'tsig_keys'
> with_items: '{{bind_config_master_zones}}'
>
But when using with_* your result will be in {{ tsig_keys.results }}, this is a list, one list entry for each item.
tsig_keys.results.0.stdout is the first, tsig_keys.results.1.stdout is the second and so on.
I recommend using
- debug: var=tsig_keys
this will show all the content of the variable in a human readable format.
--
Kai Stian Olstad
Ken Jenney
Oct 23, 2017, 10:57:29 AM10/23/17
to Ansible Project
I can extract the stdout from the shell command but ultimately I'm going to want to associate the stdout of the shell command with a zone. So if I use with_items and iterate over each result all I've got is a number. How do I re-associate that number with it's corresponding zone.
Here's an example of the zone variables:
vars:
bind_config_master_zones:
example.org:
dnssec: yes
mail: ops.example.org
serial: 2017092200
refresh: 3600
retry: 1800
expire: 2419200
negative_cache: 300
example.com:
dnssec: yes
mail: ops.example.com
serial: 2016102200
refresh: 3600
retry: 1800
expire: 2419200
negative_cache: 300I'd want to set a fact from tsig_keys.results.0.stdout to example.org.key and tsig_keys.results.1.stdout to example.com.key. How can I do that?
Ken Jenney
Oct 23, 2017, 11:24:54 AM10/23/17
to Ansible Project
I figured it:
I don't need to set facts - I need to set the keys in config files. I can use templates to iterate over the zones and pull the values from the results. I'll update with my answer once I tested it.
Reply all
Reply to author
Forward
0 new messages