Escaping special characters inside variable?

[John Oliver]

- name: Check if postgres is already allowed via IPv4

  shell: grep '^-A\ INPUT\ -s\ {{roundcube_host}}\ -p\ tcp\ -m\ state\ --state\ NEW\ -m\ tcp\ --dport\ 5432\ -j\ ACCEPT' /etc/sysconfig/iptables >/dev/null 2>&1

  ignore_errors: true

  register: result

- name: Allow incoming IPv4 PostGreSQL connections through iptables

  lineinfile: dest=/etc/sysconfig/iptables

              regexp='^-A\ INPUT\ -s\ {{roundcube_host}}\ -p\ tcp\ -m\ state\ --state\ NEW\ -m\ tcp\ --dport\ 5432\ -j\ ACCEPT'

              insertbefore='^-A\ INPUT\ -j\ LOGGING'

              line="-A INPUT -s {{roundcube_host}} -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT"

  when: result|failed

  notify: Restart iptables

My test will always fail because I'm sure it's trying to evaluate the {{roundcube_host}} variable without escaping the periods in the IP address.

I could write a sed recipe that will read out {{roundcube_host}}, insert backslashes before dots, and write that to a new variable.  But has this wheel already been invented?  I can assume the presence of tools like sed on the target host, but not on the host that's running the playbook.  And it's possible that the playbook might be run from either a GNU or BSD system, and a recipe I write for one might not work with the other.  It seems a little messy to send this to the remote host for operations and bring the result back :-)

[Dan Vaida]

When you say you're sure, is that because you tried 'debug: var=result'?

Furthermore, are you doing something else with Postgres' port in your iptables rule? If not, simply remove the first task and then in the second task, remove everything before '-p\ tcp...' from the regexp and you should be fine.

Regardless, you should be fine with only the lineinfile task. You can achieve true idempotence with a proper regexp.

Personally, I would set the rules through an Ansible template.

[Tom Bamford]

Hi John

Python has the re.escape() method but I don't know if Ansible exposes this in the form of a Jinja2 filter (seemingly not, looking at https://github.com/ansible/ansible/blob/devel/lib/ansible/runner/filter_plugins/core.py).

I'm curious, why both the check with grep and the regexp option to lineinfile?

Regards

Tom

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/4fef3e9b-75f2-40e0-8fe8-801a248993ec%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.